Policy, Standard, Baseline, Guideline, Procedure — how do these five document types differ?
Policy states WHAT and WHY (mandatory, high-level); standards make it uniform; baselines set the minimum level; guidelines recommend (optional); procedures spell out HOW step by step.
* The five document types — Policy → Standard → Baseline → Procedure (mandatory); Guideline is the only non-binding one. *
| Type | Binding? | Role | Example |
|---|---|---|---|
| Policy | Mandatory | Management's intent: what & why | "All confidential data must be encrypted" |
| Standard | Mandatory | Uniform technologies/methods | "Encryption uses AES-256" |
| Baseline | Mandatory | Minimum security level for a platform | "Windows servers follow CIS hardening level 1" |
| Guideline | Optional | Recommended practice where no standard fits | "Prefer passphrases of 4+ words" |
| Procedure | Mandatory | Step-by-step HOW for a task | "To request a certificate: steps 1–7" |
The hierarchy in one sentence: the policy demands protection, the standard picks the uniform method, the baseline fixes the floor, the procedure walks you through it — and guidelines advise wherever flexibility is acceptable.
Tip: Exam classic — the only non-binding one is the guideline. If a document must be enforceable, it cannot be (only) a guideline.