CISSP Study Plan – Day 48 of 55 | Baselines, Procedures, Standards, and Policies
- Luke Ahmed
- Nov 5
- 3 min read
“Flashcards are essential for quick review and to remind yourself what you need to remind yourself :)” – Luke Ahmed
Today is Day 48 of Yihenew’s CISSP study plan, focusing on one of the most management-centric topics in Domain 1: Policies, Standards, Baselines, and Procedures — the foundational hierarchy of security governance.
These documents define how an organization translates security intent into consistent action. CISSP students often mix them up, but understanding how they differ — and connect — is key to thinking like a manager.
Key Areas Covered in the CISSP Study Plan
Policy:
High-level statement of management’s intent and direction.
Defines what must be done and why.
Example: “All systems must comply with organizational password requirements.”
Approved by: Senior management.
Standard:
Defines specific rules or metrics that support a policy.
Ensures uniform implementation of security controls.
Example: “Passwords must be a minimum of 14 characters and include alphanumeric characters.”
Baseline:
Minimum acceptable level of security — the starting point for configurations.
Example: “All laptops must have full disk encryption enabled.”
Baselines ensure consistency across devices and environments.
Procedure:
Step-by-step instructions for carrying out a task.
Defines how to do something.
Example: “Steps for resetting a user password or onboarding a new employee.”
Hierarchy Summary:Policy → Standard → Baseline → Procedure(From broad intent to actionable detail.)
CISSP Exam Tie-In
CISSP questions often test your ability to place governance documents in the correct hierarchy or identify which level of control is being described.
Common traps:
If it’s strategic and approved by management, it’s a Policy.
If it’s measurable and repeatable, it’s a Standard.
If it’s minimum configuration requirements, it’s a Baseline.
If it’s step-by-step implementation, it’s a Procedure.
Tip: When you see “how,” think Procedure. When you see “what” or “why,” think Policy.
Quick CISSP Practice Question
Which of the following best describes a baseline in information security?
A. A high-level statement of management’s intent
B. A minimum security configuration requirement
C. A detailed step-by-step implementation guide
D. A rule defining password length and complexity
✅ Correct Answer: B. A minimum security configuration requirement
Explanation:Baselines define the minimum acceptable security posture for systems and processes. They ensure that all configurations meet organizational standards before deployment.
Think Like a Manager:Policies express intent, standards define requirements, baselines establish consistency, and procedures enforce execution. Governance is structure — not suggestion.
👉 Can you take the Yani Challenge?
55 days of consistent CISSP prep, tackling one domain at a time, using only the resources below:
Course
Luke's CISSP Course (2 months access, $89.98)
One-to-one Zoom sessions with Luke Ahmed (2 weeks before exam)
Books, Notes, and Practice Questions
All-In-One Study Guide by Shon Harris (Around $45)
Sybex 10th Edition (Around $52.55)
Total Cost: approxiamately $250 depending on your geographic location. Yani is located in East Africa.
📚 Study Plan (55 Days of Dedication):
- Weekdays: 2–3 hours of focused study—late nights and early mornings (5 AM).
- Weekends: 5–6 hours of deep study sessions.
Pass CISSP in first attempt within 100 questions.
Yani's biggest expense was his time, committment, consistency, and dedication! It was worth it because he passed first attempt in 100 questions using the above resources only.
If Yihenew could do it, so can you.
All the best Future CISSP. You can feel free to contact me anytime as well.
Thank you.
Luke Ahmed
