The primary purpose of information security standards is to establish a minimum acceptable security baseline (D). In CISM governance, policies define what must be achieved, standards define the mandatory minimum requirements, and procedures provide how-to instructions. Management direction (A) is the role of policies, not standards. Policies are not derived from standards (B); rather, standards support policies. Step-by-step instructions (C) are procedures. Standards ensure consistency, enforceability, and measurable compliance across the organization.