Documentation types listed in order of most importance:
Policy
- Mandatory document
- Used by senior management to show that they have exercised due diligence
- Defines the scope of the required security needed by an organisation and strategically highlights the security objectives, goals and security framework
- Documents the assets that require protection and highlights the acceptable level of risk
- High-level overview of an organisations security requirements
- More than one policy can exist
- The outcome of a security policy allows an organisation:
- to assign individuals specific roles and responsibilities
- outline compliance requirements
- outline audit requirements
- outline enforcement processes
Examples of security policies: Acceptable Use Policy (AUP) or Bring Your Own Device (BYOD) Policy
Standards
- Mandatory document
- Used to define requirements for the use of software, hardware, technology and security controls
- The outcome of this document allows for the development of procedures
Baselines
- Defines the very minimal accepted levels (Baseline) of security that each system should have in an organisation
Guidelines
- Guidelines are recommendations
- Guidelines offer recommendations as to how policies and standards are implemented
- Can included suggested actions but documented actions are not compulsory
Procedures
- Sometimes referred to as Standard Operating Procedures (SOP)
- Detailed step-by-step how-to document
- Contains procedures on how to implement security controls and/or different solutions
In an effort to help one remember the order of the aforementioned documents, the image I have created below represents each document type in order of importance (top to bottom).
