How is the ISMS document pyramid structured (in the awareness context)?
Policy → Technical Information Security Concept → Standards → Procedures, Guidelines & Implementation handbooks.
From top to bottom:
- Policy — the normative apex: management's commitment, goals, scope
- Technical Information Security Concept — how security is conceptually realized
- Standards — uniform, binding technical/methodical requirements
- Procedures, Guidelines & Implementation handbooks — the broad operational base: step-by-step instructions people actually work with
The awareness connection: the pyramid is also a communication map. Employees never read the policy — they encounter security through the bottom layer (procedures, handbooks, checklists). Awareness work translates the top of the pyramid into the language of the base: a policy clause ("information must be classified") only changes behavior once it exists as a one-pager ("how to label your documents — 3 steps").
Tip: Compare the variants you've seen: EISP/ISSP/SysSP/Guidelines (anglo-american) and Politik/Konzept/Regelwerk/Aufzeichnungen (German) — same cascade logic, different cuts. Recognize the pattern, not just one labeling.