CRISC differentiates between high-level expectations (policies), recommended methods (best practices), mandatory specifications (standards), and detailed, step-by-step instructions (procedures). For planning a vulnerability assessment aligned to organizational requirements, procedures provide the most granular detail: scope, tools, timings, responsibilities, escalation paths, and approval steps. Policies state that assessments must occur but do not specify “how.” Standards define minimum requirements but not execution details. Procedures guide actual implementation, making them the most suitable for planning.