Step-by-step instructions used to satisfy control requirements are called a:

A.
policy.

B.
standard.

C.
guideline.

D.
procedure.

Explanation:
Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can
apply to users, IT staff, operations staff, security members, and others who may need to carry out specific
tasks. Many organizations have written procedures on how to install operating systems, configure security
mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit
activities, destroy material, report incidents, and much more.
Procedures are considered the lowest level in the documentation chain because they are closest to the
computers and users (compared to policies) and provide detailed steps for configuration and installation issues.
Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating
environment.
Incorrect Answers:
A: A policy is defined as a high-level document that outlines senior management’s security directives. This is
not what is described in the question.
B: Standards are compulsory rules indicating how hardware and software should be implemented, used, and
maintained. This is not what is described in the question.
C: Guidelines are recommended actions and operational guides for users, IT staff, operations staff, and others
when a specific standard does not apply. This is not what is described in the question.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 106-107