ISC Certified Information Systems Security Professional (CISSP) CISSP Question # 51 Topic 6 Discussion

CISSP Exam Topic 6 Question 51 Discussion:

Question #: 51

Topic #: 6

What is the PRIMARY difference between security policies and security procedures?

Policies are used to enforce violations, and procedures create penalties

Policies point to guidelines, and procedures are more contractual in nature

Policies are included in awareness training, and procedures give guidance

Policies are generic in nature, and procedures contain operational details

Get Premium CISSP Questions

Explanation

The primary difference between security policies and security procedures is that policies are generic in nature, and procedures contain operational details. Security policies are the high-level statements or rules that define the goals, objectives, and requirements of security for an organization. Security procedures are the low-level steps or actions that specify how to implement, enforce, and comply with the security policies.

A. Policies are used to enforce violations, and procedures create penalties is not a correct answer, as it confuses the roles and functions of policies and procedures. Policies are used to create penalties, and procedures are used to enforce violations. Penalties are the consequences or sanctions that are imposed for violating the security policies, and they are defined by the policies. Enforcement is the process or mechanism of ensuring compliance with the security policies, and it is carried out by the procedures.

B. Policies point to guidelines, and procedures are more contractual in nature is not a correct answer, as it misrepresents the nature and purpose of policies and procedures. Policies are not merely guidelines, but rather mandatory rules that bind the organization and its stakeholders to follow the security principles and standards. Procedures are not contractual in nature, but rather operational in nature, as they describe the specific tasks and activities that are necessary to achieve the security goals and objectives.

C. Policies are included in awareness training, and procedures give guidance is not a correct answer, as it implies that policies and procedures have different audiences and functions. Policies and procedures are both included in awareness training, and they both give guidance. Awareness training is the process of educating and informing the organization and its stakeholders about the security policies and procedures, and their roles and responsibilities in security. Guidance is the process of providing direction and advice on how to comply with the security policies and procedures, and how to handle security issues and incidents.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 17; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, page 13

Actual exam question for ISC CISSP exam by Zane7160 at Aug 3, 2025, 12:00:00 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

ISC Certified Information Systems Security Professional (CISSP) CISSP Question # 51 Topic 6 Discussion

ISC Certified Information Systems Security Professional (CISSP) CISSP Question # 51 Topic 6 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

ISC Certified Information Systems Security Professional (CISSP) CISSP Question # 51 Topic 6 Discussion

ISC Certified Information Systems Security Professional (CISSP) CISSP Question # 51 Topic 6 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval