cisa-d2-governance-management-it-policies-standards-procedures-and-guidelines

IT Policies, Standards, Procedures, and Guidelines

isaca-cisa · framework · Production-ready

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is IT Policies, Standards, Procedures, and Guidelines

IT Policies, Standards, Procedures, and Guidelines (PSPGs) are the formal governance artifacts that define how an organization manages, protects, and operates its information technology. They form a four-tier hierarchy: (1) Policies — mandatory, high-level statements of intent and requirement (e.g., 'All user access must follow the principle of least privilege'); (2) Standards — specific, measurable requirements that implement a policy (e.g., 'Passwords must be at least 12 characters with complexity enforced'); (3) Procedures — step-by-step instructions for performing tasks to meet standards (e.g., 'Quarterly access review: manager-initiated, IT-verified, documented in ServiceNow'); (4) Guidelines — recommended, non-mandatory best practices that assist implementation (e.g., 'Consider using a password manager for credential storage'). Together, these artifacts bridge governance strategy and operational execution, creating a traceable accountability chain from board-level intent to individual IT action.

Where it stops · what it isn't

—PSPGs ARE: Formal, documented governance artifacts with defined ownership, approval authority, version history, and enforcement mechanisms.
—PSPGs ARE NOT: Verbal instructions, informal team conventions, tribal knowledge, or undocumented operational practices — none of these can be audited or enforced consistently.
—PSPGs ARE NOT the same as security controls or technical configurations: a policy mandates what must be done; a technical control (firewall rule, access list) implements it. Both must exist and align.
—Policy effectiveness is NOT binary (exists vs. does not exist); it exists on a maturity spectrum from Ad Hoc → Defined → Managed → Optimized, each requiring different remediation approaches.
—PSPGs are NOT static documents: they require a full lifecycle (creation, approval, communication, enforcement, audit, revision) and must evolve with the threat landscape, regulatory environment, and business context.
—A policy copied verbatim from ISO/IEC 27001 templates or NIST without organizational customization is NOT an effective policy — generic language does not match real operational context and creates immediate policy-practice gaps under audit.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

IT Governance and Management (ISACA CISA Domain 2)

REQUIRES

IT Governance Frameworks (COBIT, ISO/IEC 27001, NIST CSF 2.0)Organizational Risk Appetite and Risk Management Framework

ENABLES

IT Audit and Compliance AssessmentsIncident Response and Business Continuity PlanningThird-Party and Vendor Risk Management

RELATED TO

IT Performance Monitoring and ReportingInformation Asset Security Policies, Frameworks, Standards, and Guidelines

CONSTRAINS

IT Operations and Day-to-Day IT Decision-MakingCloud Adoption, AI Tool Deployment, and Emerging Technology Onboarding

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.