Governance Documents: Policy, Standard, Procedure, and Baseline
Key Takeaways
- Governance defines who has authority, how decisions are made, and how security aligns with business objectives.
- Policies state management intent and required outcomes at a high level.
- Standards define mandatory requirements that support policy.
- Procedures provide step-by-step instructions for repeatable work.
- Baselines define approved minimum secure configurations or operating states.
Governance Documents: Policy, Standard, Procedure, and Baseline
Governance is the structure used to direct, control, and measure security. It defines decision authority, accountability, risk appetite, oversight, and alignment with business objectives. Governance documents translate those decisions into expectations that teams can follow and auditors can review.
Document Types
| Document | Purpose | Example |
|---|---|---|
| Policy | High-level management requirement | All workforce identities must use multifactor authentication |
| Standard | Mandatory rule that supports policy | MFA must use phishing-resistant methods for privileged accounts |
| Procedure | Step-by-step instructions | How to enroll a user in the approved MFA platform |
| Baseline | Minimum approved configuration state | Laptop baseline requires disk encryption, EDR, screen lock, and logging |
| Guideline | Recommended practice | Prefer passphrases for long memorized secrets |
The hierarchy matters. A policy tells the organization what outcome is required. A standard defines specific mandatory requirements. A procedure explains how to perform the work. A baseline defines the secure starting point or minimum state.
Scenario: Remote Access Governance
A company allows remote work but has inconsistent VPN and cloud access settings. Security leadership approves a remote access policy. The operational documents then support it.
| Governance need | Best document |
|---|---|
| State that remote access must be approved, authenticated, encrypted, and monitored | Policy |
| Require MFA, device compliance, session timeout, and logging for remote access | Standard |
| Explain how the service desk enrolls a new remote user | Procedure |
| Define approved VPN gateway settings and endpoint posture checks | Baseline |
| Suggest preferred home network practices for employees | Guideline |
Ownership and Review
Governance documents need owners and review cycles. A policy that no one owns becomes stale. A procedure that no one updates causes inconsistent execution.
| Governance attribute | Why it matters |
|---|---|
| Document owner | Accountable for accuracy and review |
| Approver | Shows management authority |
| Effective date | Identifies when the requirement started |
| Review date | Prevents stale controls |
| Scope | Defines who and what must comply |
| Exception process | Allows controlled deviation when justified |
Common Traps
- Calling every document a policy even when it is really a procedure or standard.
- Writing a policy so detailed that it becomes hard to maintain.
- Creating a baseline but never measuring systems against it.
- Publishing a standard without an exception process.
- Leaving document ownership unclear.
Exam Focus
SY0-701 questions often ask which document is most appropriate. If the answer must state executive intent, choose policy. If it must define mandatory technical requirements, choose standard. If it must tell someone exactly how to perform a task, choose procedure. If it defines the approved minimum configuration, choose baseline.
Which document should state that all privileged accounts must use approved multifactor authentication?
Which document best defines required laptop settings such as disk encryption, EDR, and screen lock timeout?
Match each governance document to its best description.
Match each item on the left with the correct item on the right