Quiz Entry - updated: 2026.06.20
What is the security (policy) pyramid in the anglo-american split?
EISP at the top, ISSP below it, SysSP next, and Guidelines at the base.
* The anglo-american policy pyramid — EISP → ISSP → SysSP → Guidelines; more detail toward the base. *
- EISP — Enterprise Information Security Policy: one per organization; direction, scope, and tone for all security efforts
- ISSP — Issue-Specific Security Policy: one per topic (internet use, e-mail, personal devices…)
- SysSP — System-Specific Security Policy: one per system (firewall, data center, ERP…)
- Guidelines — supporting recommendations, checklists, how-tos
Going down the pyramid: more documents, more detail, more frequent change, lower approval level. The EISP is signed by the CEO and survives years; a guideline can be updated by the security team whenever technology shifts.
Tip: Pyramid = inheritance. Every SysSP must be traceable to an ISSP/EISP statement above it. If a firewall rule document contradicts the EISP, the pyramid is broken — and audits will find it.