Governance Documents: Policy, Standard, Procedure, and Baseline

Why Governance Is on the Exam

Governance is the structure used to direct, control, and measure a security program. It defines decision authority, accountability, risk appetite, oversight, and alignment with business objectives. On CompTIA Security+ SY0-701 (max 90 questions, 90 minutes, passing 750 on a 100-900 scale, launched November 7, 2023), governance lives in Domain 5.0 "Security Program Management and Oversight," the largest exam domain at roughly 20 percent of scored items. Expect several questions that hand you a scenario and ask which document type is the best fit.

Governance documents form a deliberate hierarchy. Each layer answers a different question and has a different level of authority. Memorize the hierarchy because the wrong layer is the most common distractor.

Document Hierarchy

The distinction the exam tests hardest is policy versus standard versus procedure. A policy is durable and rarely changes; it states intent and is approved at the executive or board level. A standard is specific and changes as technology changes (TLS 1.2 today, TLS 1.3 next year) and is typically owned by an engineering or architecture function. A procedure is operational detail maintained by the team that performs the work. A baseline is a configuration snapshot you can audit a machine against, and any drift away from it is a finding.

A useful memory aid: policy = why, standard = what, procedure = how, baseline = the secure starting state. Guidelines are the only optional layer; everything above them is enforceable, and violating a mandatory document can be grounds for corrective action.

Scenario: Remote Access Governance

A company allows remote work but has inconsistent VPN and cloud settings. Leadership approves a remote-access policy; the operational documents then support it.

Agreements and Specialized Policies

SY0-701 also names specific document types you must recognize by their acronyms. They are heavily tested as "which agreement" questions.

Ownership and Review

Every governance document needs an owner and a review cycle (commonly annual, or sooner after a major incident, audit finding, regulatory change, or technology shift). A policy with no owner becomes stale; a procedure no one updates produces inconsistent execution and audit failures. Required attributes include the document owner (accountable for accuracy), the approver (showing management authority), the effective date, the review date, the scope (who and what must comply), version history, and a defined exception process.

Without a version and effective date, an auditor cannot prove which requirement was in force at the time of an incident. SY0-701 frames many governance items around this lifecycle: a control that exists on paper but was never reviewed, owned, or measured is treated as ineffective regardless of how good its wording is.

Common Traps

• Calling every document a "policy" when it is really a standard or procedure.
• Writing a policy so detailed it becomes a procedure and must change constantly.
• Creating a baseline but never measuring live systems against it (configuration drift goes undetected).
• Publishing a standard with no exception process.
• Confusing an SLA (uptime/performance) with an MOU (intent) or AUP (user behavior).

Exam Focus

If the answer must state executive intent, choose policy. If it must define a specific mandatory technical rule, choose standard. If it must tell someone exactly how to perform a task, choose procedure. If it defines the approved minimum configuration, choose baseline. If it merely recommends, choose guideline. For partner relationships, match the acronym: uptime equals SLA, intent equals MOU, confidentiality equals NDA.