Domain 5 of 5 · Chapter 1 of 6

Security Governance

The governance document hierarchy: policy, standard, procedure, guideline

"Use a 14-character password" and "protect customer data" are both written rules, but only one is a standard and the other a policy, and telling those four document types apart is what almost every objective 5.1 governance question comes down to: which of these four am I looking at? They form a hierarchy of decreasing abstraction and (for three of the four) mandatory force, sketched in the figure below: policy → standard → procedure derive top-down, while a guideline sits beside them as optional advice. NIST's introduction to information security[1] describes this derivation, in which each lower document traces up to the policy above it.

Policies: what and why

A policy is a high-level statement of management intent and direction, formally approved by senior leadership. It states the required outcome and the why, never the how. Because it is approved at the top, a policy is mandatory and is the anchor every lower document traces back to. SP 800-12 groups organizational policy into three recurring kinds the exam expects you to recognize:

Policy level Scope Example
Program (organizational) policy Establishes the security program enterprise-wide The overarching information security policy
Issue-specific policy One topic that needs its own stance Acceptable Use Policy (AUP); email policy
System-specific policy Rules for one system/asset The access rules for the payroll system

The Security+ named policies you must know on sight: information security policy (the program policy), AUP (acceptable use of organizational assets, the basis for disciplinary action), business continuity (BC) and disaster recovery (DR) policies (keep the business running / restore IT after a disruption), incident response (IR) policy, software development lifecycle (SDLC) policy (security baked into how software is built), and change management policy (no unauthorized changes to production).

Standards: the measurable rule

A standard translates a policy's intent into a specific, mandatory, uniform requirement so the policy is enforceable and auditable. Where a policy says "protect data at rest," a standard says "AES-256." Standards are where the exam's named examples live: password standards (length, complexity, rotation), access control standards (e.g., least privilege, RBAC), physical security standards (badge access, mantraps), and encryption standards (approved algorithms and key lengths). Many organizational standards adopt external technical baselines, for example NIST SP 800-53[2] control selections, so the organizational standard and the framework align.

Procedures: the repeatable how-to

A procedure is a mandatory, step-by-step set of instructions that implements a standard so the outcome does not depend on who performs the task. SY0-701 calls out change-management procedures, onboarding/offboarding procedures, and playbooks (the codified, repeatable response steps an incident-response or SOAR process executes). If a document is a numbered checklist, it is a procedure.

Guidelines: the only optional one

A guideline is recommended, discretionary advice. It is the single document type in this group that is not mandatory. The reliable exam discriminator is the verb: "shall/must" → policy/standard/procedure; "should/may" → guideline.

Policy mandatory — high-level intent, the "why" derives Standard mandatory — specific, measurable rule derives Procedure mandatory — step-by-step how-to Guideline not mandatory — advice beside, optional each lower document traces up to the approved policy
Policy derives a measurable standard, which derives a step-by-step procedure; all three are mandatory, while a guideline sits beside them as optional advice.

Governance structures, roles, and external considerations

Documents are inert without people accountable for them and a structure that approves and revises them. Objective 5.1 tests both, plus the external forces that constrain the whole program.

Data and accountability roles

Governance assigns ownership so that, for any data set, you can name who decides and who implements. These four roles split cleanly into two jobs, as the figure below groups them: the owner and controller decide (purpose, classification, acceptable use), while the custodian/steward and processor execute (apply the protections, process only as instructed). They also map onto the privacy-law roles you need for compliance questions:

Role Decides / does Managerial or technical Common trap
Data owner Accountable for the data; sets its classification and acceptable use Managerial (senior business exec) Cannot be delegated; the owner is not IT
Data controller Determines the purpose and means of processing personal data Managerial / legal Often the same org as the owner; the controller decides why
Data processor Processes personal data only on the controller's documented instructions External/technical (e.g., SaaS or cloud vendor) Never decides purpose
Data custodian / steward Implements protections day-to-day: access control, backups, encryption Technical Protects data but never sets its classification

The single most-tested distinction: the owner/controller decides, the custodian/processor executes. A question that hands the classification decision to a system administrator is describing a control failure.

Governance bodies

Organizations run governance through boards (a board of directors carries ultimate fiduciary oversight), committees (a security steering committee or risk committee reviews and approves policy and prioritizes spend), and, where regulated, government entities that impose binding external rules. These bodies own the monitoring and revision loop: policies are reviewed on a defined cadence and whenever threats, technology, or law change. A security program is maintained, not written once.

Centralized vs. decentralized

The structural choice the exam contrasts:

  • Centralized governance: one authority sets and enforces policy across the whole enterprise. Pros: consistency, uniform enforcement, easier audit. Cons: slower, less responsive to local needs.
  • Decentralized governance: business units make their own decisions within broad guardrails. Pros: agility, local fit. Cons: inconsistent controls, harder to audit, duplicated effort.

External considerations

A governance program must satisfy forces it does not author: regulatory mandates (HIPAA, PCI DSS, SOX), broader legal obligations and contracts, industry frameworks and norms, and the geographic scope at which a requirement applies, local, regional, national, and global. Scope is an explicit dimension because a multinational must reconcile conflicting national rules (for example EU data-residency requirements against another jurisdiction's lawful-access demands). CompTIA's Security+ objectives[3] place all of these under governance precisely because they determine which policies and standards are non-negotiable.

Decide — purpose, classification, use Data owner managerial sets classification and acceptable use Data controller managerial / legal determines purpose and means Execute — apply the protections Data custodian / steward technical access control, backups, encryption day-to-day Data processor external / technical processes only on the controller's instructions Most-tested distinction: the owner/controller decides; the custodian/processor executes. Handing the classification decision to a system administrator describes a control failure.
The four data roles split into two jobs: owner and controller decide purpose and classification; custodian/steward and processor execute the protections.

Exam-pattern recognition: classifying the document and the role

Governance questions on SY0-701 are overwhelmingly classification questions: a scenario describes an artifact or a decision, and you must name it. Train the two reflexes below and most of objective 5.1 collapses.

Pattern 1: "Which document is this?"

The stem describes a written artifact; the distractors are the other three document types.

  • "A measurable rule requiring 14-character passwords"standard (specific + mandatory). Distractor "policy" is wrong because the policy only says "strong authentication," not the number.
  • "A high-level, leadership-approved statement that the company will protect customer data"policy (intent, no mechanism).
  • "A numbered checklist for revoking access when an employee leaves"procedure (the offboarding procedure).
  • "A recommendation that staff should use a password manager"guideline (optional, note the verb "should").

To break ties, lean on the verb test from The governance document hierarchy above: shall/must points at a mandatory document (policy, standard, procedure), should/may at a guideline.

Pattern 2: "Who is accountable?"

The stem hands a decision or an action to someone; pick the role whose mandate matches.

  • "Who sets the classification of the HR data set?"data owner (a business executive), never the administrator.
  • "A cloud vendor processes customer records strictly per our written instructions"data processor (acts on the controller's instructions; decides no purpose).
  • "The team that applies encryption and runs the backups"data custodian/steward (implements, does not decide).
  • "Our company determines why and how customer personal data is used"data controller.

Pattern 3: "Which governance model / consideration?"

  • "Headquarters mandates one identical policy set for every regional office"centralized governance. If each office sets its own → decentralized.
  • "We must comply with PCI DSS because we store cardholder data" → an external (regulatory/industry) consideration, not an internally chosen control.
  • "A standing committee meets quarterly to review and approve security policy" → a governance committee running the monitoring-and-revision loop.

The NIST Information Security Handbook for managers[4] frames governance as exactly this stack: accountable roles, an oversight body, and a maintained set of policies tied to external drivers, which is why the exam keeps the questions at the level of naming the right concept rather than configuring a product.

Policy vs. standard vs. procedure vs. guideline

Document typeSpecificityMandatory?Example
PolicyHigh-level statement of management intentYes (sets the requirement)Information security policy; AUP; business continuity policy
StandardSpecific, measurable, uniform requirementYesPassword standard (≥14 chars); AES-256 encryption standard; access control standard
ProcedureStep-by-step instructions to implement a standardYesChange-management procedure; onboarding/offboarding checklist; IR playbook
GuidelineRecommended, discretionary adviceNo ("should," not "must")Hardening recommendations; suggested password-manager use

Decision tree

Mandatory? ("shall/must" vs "should") No ("should") Guideline recommended, discretionary Yes High-level intent, no "how"? leadership-approved statement Yes Policy info-sec policy, AUP, BC/DR, IR, SDLC No Numbered step-by-step instructions? a how-to checklist Yes Procedure change mgmt, onboarding/offboarding, playbook No Standard password / encryption / access-control rule Always: a standard/procedure must trace up to an approved policy

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Policy → standard → procedure → guideline is the governance hierarchy

Governance documents descend from intent to detail: a policy is management's broad statement of what and why, a standard turns it into a specific measurable rule (e.g., AES-256, passwords ≥14 chars), a procedure gives the numbered step-by-step how-to, and a guideline offers optional advice. Policies, standards, and procedures are mandatory; only the guideline is discretionary, which is the line the exam tests.

Trap Assuming the guideline outranks or precedes the procedure in the hierarchy because it sounds authoritative, when the guideline is the lowest and only optional tier.

1 question tests this
A guideline is the only non-mandatory governance document

Guidelines are recommended best-practice that can be met more than one way, so they are the single discretionary document type. Policies, standards, and procedures are all compulsory. The fastest tell is the verb: "shall/must" marks a mandatory document, "should/may" marks a guideline.

Trap Treating a standard or procedure as optional because it is more detailed than a policy, when only the guideline is discretionary.

3 questions test this
A standard is a specific, measurable, mandatory rule

A standard fixes exactly how strict a policy's intent must be and is compulsory within the organization. Where the policy says "protect data," the standard says AES-256 at rest, passwords ≥14 characters, or RBAC for access. That precision is what makes a policy uniform and auditable. Named SY0-701 examples are password, access control, physical security, and encryption standards.

Trap Classifying a specific measurable rule as a guideline because it reads like best practice, when its mandatory enforceable nature makes it a standard.

1 question tests this
A policy is high-level intent, never the mechanism

A policy is a leadership-approved statement of required outcome and direction written at a broad level; it deliberately leaves the "how" to the standards and procedures beneath it. Named SY0-701 policies include the information security policy, AUP, business continuity, disaster recovery, incident response, SDLC, and change management.

Trap Expecting a policy to name the specific control or technology, when that mechanism belongs to the standard and procedure beneath it.

1 question tests this
Procedures and playbooks are step-by-step instructions

A procedure is the mandatory numbered how-to that implements a standard so the result doesn't depend on who runs it, and a playbook is the procedure variant that codifies repeatable response steps an IR or SOAR workflow executes. SY0-701 examples are change-management and onboarding/offboarding procedures; a checklist counts as a procedure too.

Trap Treating a playbook as a policy: it is an operational procedure that implements policy, not the high-level intent itself.

6 questions test this
AUP defines acceptable use of organizational assets

An Acceptable Use Policy (AUP) is an issue-specific policy spelling out permitted and prohibited use of company systems and data, signed by the user. Because it documents what the user agreed to, it is the basis for disciplinary action when someone misuses assets.

Trap Reaching for an NDA as the document that governs day-to-day use of company systems, when the NDA covers confidentiality and the AUP governs acceptable use.

2 questions test this
Policy scope: program, issue-specific, system-specific

Policies are categorized by scope: a program (organizational) policy establishes the security program enterprise-wide, an issue-specific policy governs one topic such as an AUP or email use, and a system-specific policy sets rules for a single system or asset. The scope mirrors the authority of the manager who issues it.

Trap Labeling an AUP a system-specific policy because it constrains how systems are used, when its single-topic focus makes it issue-specific.

1 question tests this
Data owner sets classification; it cannot be delegated

The data owner is the senior business official with operational authority over a data set and is accountable for setting its classification and acceptable use. That managerial accountability stays with the owner and is not handed to IT, so an admin who decides classification is itself a governance failure.

Trap Naming the IT administrator or custodian as the one who classifies data: they implement protection but never own the classification decision.

4 questions test this
Data custodian/steward implements; never decides classification

The data custodian (steward) is the technical role that carries out the owner's decisions day-to-day, applying access controls, backups, and encryption to protect the data. The custodian enforces protection but never sets the classification or acceptable use; that authority belongs to the owner.

Trap Letting the custodian set or change a data set's classification because they have hands-on access to it, when only the owner holds that decision authority.

1 question tests this
Owner/controller decide, custodian/processor execute

Across the four data roles the dividing line is decide-versus-execute: the owner and controller determine classification and purpose, while the custodian and processor act only on those decisions. Under GDPR the controller "determines the purposes and means of processing" and the processor acts on the controller's instructions, so a scenario that hands a decision to an executing role is describing a control failure.

Trap Assuming a cloud or SaaS vendor that hosts your data becomes the controller: it is normally the processor, and your organization stays the accountable controller.

1 question tests this
Centralized governance favors consistency over flexibility

Centralized governance puts one authority in charge of setting and enforcing policy enterprise-wide, producing uniform, easy-to-audit controls at the cost of speed and local responsiveness. Choose it when consistency and auditability matter most.

Trap Picking centralized governance for its agility and fast local response, when those are the strengths of decentralized governance and centralization trades them away for uniformity.

1 question tests this
Decentralized governance favors agility over uniformity

Decentralized governance lets business units set their own policy within broad guardrails, gaining agility and local responsiveness but risking inconsistent controls and harder auditing. Choose it when units must move independently and speed outranks uniformity.

Trap Choosing decentralized governance when the priority is uniform, easy-to-audit controls, since that consistency is exactly what decentralization sacrifices for speed.

1 question tests this
Boards, committees, and government entities are governance structures

Governance is exercised through structures: boards hold ultimate oversight (e.g., the board of directors), committees such as a security steering or risk committee review and approve policy, and government entities/regulators impose binding external rules where the organization is regulated. Each is a named SY0-701 governance structure.

5 questions test this
Governance includes continuous monitoring and revision

A security program is maintained, not written once: policies are reviewed on a defined cadence and re-examined whenever threats, technology, business needs, or law change. That monitoring-and-revision loop is itself a governance activity owned by the oversight body, not a one-time document.

1 question tests this
External considerations drive which policies are mandatory

Governance must satisfy external forces: regulatory mandates (HIPAA, PCI DSS, SOX), broader legal and contractual obligations, and industry frameworks, and these dictate which policies and standards are non-negotiable regardless of internal preference. On the exam, an external requirement overrides an organization's own appetite for a control.

Trap Allowing the organization's internal risk appetite to waive a control that an external regulation mandates, when the external requirement is non-negotiable.

Geographic scope: local, regional, national, global

Requirements apply at distinct geographic scopes (local, regional, national, and global), so a multinational must reconcile rules that conflict across borders, such as EU data-residency duties versus another jurisdiction's lawful-access demands. That is why scope is treated as an explicit governance dimension rather than an afterthought.

SDLC and change-management policies bake security into operations

An SDLC policy forces security to be built into how software is developed rather than bolted on afterward, and a change-management policy blocks unauthorized changes from reaching production. Both are named SY0-701 governance policies that flow down into procedures developers and operators actually follow.

1 question tests this
A CISO reporting to the CIO creates a conflict of interest

When the CISO reports to the CIO, the executive accountable for IT delivery also oversees the function that evaluates IT risk, a separation-of-duties conflict that can pressure the CISO to soften controls and skew risk reporting; SOX audits have flagged this reporting line as a control-design weakness. Reporting higher, to the CEO or board, preserves the CISO's independence and unfiltered risk communication, while the board and senior leadership retain ultimate accountability for cyber risk.

Trap Placing the CISO under the CIO to keep security "close to IT": it undermines the independence the role needs to objectively report risk.

3 questions test this

Also tested in

References

  1. An Introduction to Information Security (SP 800-12 Rev. 1) Whitepaper
  2. Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5) Whitepaper
  3. CompTIA Security+ (SY0-701) certification
  4. Information Security Handbook: A Guide for Managers (SP 800-100) Whitepaper