Which document type tells employees WHAT they must do but not HOW?
A CISSP practice question covering Domain 1: Security and Risk Management. Try answering before reading the explanation below.
Show options & answer
Why "Policy" is the right answer
Policies state intent and direction. Standards mandate specific implementations. Procedures are step-by-step. Guidelines are recommended (non-mandatory).
Study videos for this topic
Want to go deeper on Domain 1? Watch the full breakdown — every video is free, no account, no upsell.
CISSP Domain 1: Ethics & the 5 Pillars (Canon Order)
Domain 1 — Security and Risk Management
CISSP Domain 1: Governance, Roles & Due Care (2026)
Domain 1 — Security and Risk Management
CISSP Domain 1: Laws, IP & GDPR (Compliance)
Domain 1 — Security and Risk Management
CISSP Domain 1: Investigation Types & Security Docs
Domain 1 — Security and Risk Management
Take the full CISSP practice test
120 questions, instant explanations, study-video links on every miss. No account.