LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What is the security (policy) pyramid in the anglo-american split?

EISP at the top, ISSP below it, SysSP next, and Guidelines at the base.

Anglo-american policy pyramid: EISP, ISSP, SysSP, Guidelines.

* The anglo-american policy pyramid — EISP → ISSP → SysSP → Guidelines; more detail toward the base. *

  • EISP — Enterprise Information Security Policy: one per organization; direction, scope, and tone for all security efforts
  • ISSP — Issue-Specific Security Policy: one per topic (internet use, e-mail, personal devices…)
  • SysSP — System-Specific Security Policy: one per system (firewall, data center, ERP…)
  • Guidelines — supporting recommendations, checklists, how-tos

Going down the pyramid: more documents, more detail, more frequent change, lower approval level. The EISP is signed by the CEO and survives years; a guideline can be updated by the security team whenever technology shifts.

Tip: Pyramid = inheritance. Every SysSP must be traceable to an ISSP/EISP statement above it. If a firewall rule document contradicts the EISP, the pyramid is broken — and audits will find it.

From Quiz: ISM / Policies, Concepts & Guidelines | Updated: Jun 20, 2026