Certified Information Security Manager (CISM) Practice Exam

Every policy should be supported by procedures, standards, and baselines because these elements provide the necessary framework and guidelines for the implementation and enforcement of the policy. Procedures offer specific steps to follow to comply with the policy, while standards establish the expected levels of performance or quality. Baselines serve as the minimum requirements or benchmarks against which compliance can be measured. Together, these components ensure that the policy is not just a theoretical statement but translates into actionable items that can be consistently applied within the organization. They help to clarify the expectations and responsibilities of individuals or teams affected by the policy, ultimately facilitating better governance and risk management. In contrast, legal documentation primarily addresses compliance with laws and regulations but does not necessarily provide the operational guidance that policies require. Journal entries might provide records or insights but lack the structured support needed for policy enforcement. External audits can evaluate compliance and effectiveness but do not support the actual implementation of a policy. Hence, procedures, standards, and baselines are crucial for ensuring that policies are effectively integrated into the organization's operations.