You are currently viewing CISSP Notes: Security Governance – Documentation

CISSP Notes: Security Governance – Documentation

Documentation types listed in order of most importance:


  • Mandatory document
  • Used by senior management to show that they have exercised due diligence
  • Defines the scope of the required security needed by an organisation and strategically highlights the security objectives, goals and security framework
  • Documents the assets that require protection and highlights the acceptable level of risk
  • High-level overview of an organisations security requirements
  • More than one policy can exist
  • The outcome of a security policy allows an organisation:
    • to assign individuals specific roles and responsibilities
    • outline compliance requirements
    • outline audit requirements
    • outline enforcement processes

Examples of security policies: Acceptable Use Policy (AUP) or Bring Your Own Device (BYOD) Policy


  • Mandatory document
  • Used to define requirements for the use of software, hardware, technology and security controls
  • The outcome of this document allows for the development of procedures


  • Defines the very minimal accepted levels (Baseline) of security that each system should have in an organisation


  • Guidelines are recommendations
  • Guidelines offer recommendations as to how policies and standards are implemented
  • Can included suggested actions but documented actions are not compulsory


  • Sometimes referred to as Standard Operating Procedures (SOP)
  • Detailed step-by-step how-to document
  • Contains procedures on how to implement security controls and/or different solutions

In an effort to help one remember the order of the aforementioned documents, the image I have created below represents each document type in order of importance (top to bottom).


Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply