Policies, Procedures, Plans & Directives

Key Takeaways

  • A policy states mandatory high-level rules; a procedure provides step-by-step instructions for implementing that policy.
  • Plans are roadmaps tied to specific objectives and timelines, while directives are short-term or situational instructions.
  • Cross-functional review by HR, legal, IT, and facilities before publication reduces the risk that a new security policy conflicts with other organizational obligations.
  • Training records documenting who was trained, when, and on which policy version are frequently requested during litigation or regulatory audits.
  • Onboarding is the highest-leverage moment to introduce core security policies to new employees.
Last updated: July 2026

The Governance Document Hierarchy

Domain 2, Task 2 of the CPP Body of Knowledge tests a security manager's ability to develop and maintain the governing documents that translate strategy into daily practice. The exam distinguishes carefully among four document types that security candidates often use interchangeably in casual conversation but that have distinct purposes in a mature security program.

DocumentPurposeTypical LifespanExample
PolicyStates the mandatory, high-level rule or organizational intentLong-term, revised infrequentlyAll employees must wear visible ID badges on premises.
ProcedureProvides the specific, step-by-step instructions for implementing a policyReviewed regularly as processes changeSteps for issuing, deactivating, and auditing badges
PlanA roadmap for achieving a specific objective, often with a timeline and resource allocationProject-bound or cyclical (annual)Security staffing plan for a new facility opening
DirectiveA specific, often time-bound instruction, frequently issued to address an immediate operational needShort-term or situationalTemporary directive to increase badge checks during a threat escalation

Understanding this hierarchy matters on the exam because scenario questions frequently ask which document type is the appropriate vehicle for a given governance need -- writing a new post order as a policy, for example, is a common distractor.

Development Process

Effective policy and procedure development follows a repeatable process: identify the business or risk driver, draft the document, circulate it for cross-functional review, obtain formal approval from an authorized owner, publish and communicate it to affected employees, and schedule periodic review. Skipping the cross-functional review step is the single most common cause of policies that fail in practice -- a badge policy drafted by security alone, without HR and facilities input, may conflict with existing HR disciplinary procedures or building-access vendor contracts.

Communication and Training Strategies

A policy that is written but not communicated has no operational effect. The exam expects familiarity with a layered communication approach:

  • Formal training -- instructor-led or e-learning modules for policies with compliance or safety implications (e.g., workplace violence prevention).
  • Awareness campaigns -- posters, intranet articles, and email reminders that reinforce policy without requiring a formal course.
  • Onboarding integration -- new-hire orientation is the highest-leverage moment to introduce core security policies, since retention and behavior change are strongest when policy is tied to a role from day one.
  • Refresher cycles -- annual or biennial re-training, particularly for policies tied to regulatory obligations, keeps compliance current and creates a documented training record for audit purposes.

Security managers should document who was trained, when, and on what version of the policy -- this record is frequently the first thing requested during litigation or a regulatory audit following an incident.

Cross-Functional Collaboration

Because security policy intersects with employment law, privacy, IT, facilities, and labor relations, the CPP exam repeatedly tests the principle that security should not draft governing documents in isolation. Key partners include:

  1. Human Resources -- disciplinary consistency, union agreements, protected-class considerations.
  2. Legal/Compliance -- statutory obligations, litigation exposure, contract terms.
  3. IT -- technical enforceability of access-control or monitoring policies.
  4. Facilities/Operations -- physical feasibility of procedures at each site.
  5. Employee/Labor Relations or unions -- where a collective bargaining agreement governs working conditions.

A policy approved by security leadership alone, without these stakeholders, is far more likely to be challenged, inconsistently enforced, or reversed after an incident exposes a gap.

Relevant Laws and Regulations

Security policies do not exist in a legal vacuum. The Body of Knowledge specifically calls out awareness of relevant laws and regulations as part of Task 2, and CPP candidates should be able to recognize (not necessarily cite verbatim) categories such as:

  • Employment and labor law -- governs discipline, termination, and monitoring policies (varies significantly by jurisdiction).
  • Privacy law -- governs employee monitoring, video surveillance retention, and biometric data collection (e.g., state biometric privacy statutes, GDPR for multinational operations).
  • Industry-specific regulation -- healthcare (HIPAA), financial services, or critical infrastructure sectors impose sector-specific security-policy requirements.
  • Occupational safety law -- workplace-violence-prevention and general duty-of-care obligations shape emergency and life-safety procedures.

The exam does not expect memorization of statute numbers outside domains where they are the direct subject (e.g., FCRA in personnel security); it expects the candidate to recognize that legal review is a mandatory step in policy development and to identify which stakeholder (legal, HR, privacy officer) owns that review.

Document Control and Accessibility

A governance document library is only useful if employees can find the current version and cannot mistakenly rely on a superseded one. Mature programs maintain version control (a document number, revision date, and approver on every policy), archive superseded versions separately from active ones, and publish the library on an accessible platform such as an enterprise policy-management system rather than emailing PDFs that quickly go stale in employee inboxes. During an audit or post-incident review, the ability to show exactly which policy version was in force on a given date -- and that the employee involved was trained on that version -- is often as important as the policy's content itself.

Putting It Together

A well-governed security program has a visible, current policy library; procedures that match how work is actually performed on the ground; plans that translate strategic priorities into resourced projects; and directives reserved for genuine short-term operational needs rather than used as a substitute for updating a stale policy. Auditors and regulators evaluate not just whether documents exist, but whether training records, revision history, and cross-functional sign-offs demonstrate that governance is a living, enforced system rather than a binder on a shelf.

Test Your Knowledge

Which document type specifies the mandatory, high-level rule an organization must follow, leaving the specific step-by-step execution to a separate document?

A
B
C
D
Test Your Knowledge

Before publishing a new employee monitoring policy, which cross-functional review step is essential to ensure legal compliance?

A
B
C
D