← Concepts
Security Program Management and OversightSY0-701 · Task 5.1

Standards, procedures, and playbooks — SY0-701

Understand standards, procedures, and playbooks in security governance—what each document mandates, how they differ, and the exam trap candidates fall into.

WHAT IT IS

A standard, a procedure, and a playbook are three distinct types of governance documents that together operationalize a security program. The NIST CSRC Glossary (NIST SP 800-175A) defines a standard as "a document establishing requirements, specifications, guidelines, or characteristics to ensure materials, products, processes, and services meet their intended purpose." A standard translates high-level policy language into specific, measurable requirements. A procedure is the step-by-step implementation of those requirements — the "how" that operationalizes the "what." A playbook is a documented set of predetermined instructions focused on a particular scenario, especially response activities; the NIST CSRC Glossary (NIST SP 800-34 Rev. 1 / CNSSI 4009-2015) describes an incident response plan as "the documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attack against an organization's information system(s)." Playbooks are the scenario-scoped instantiation of this concept.

Mental model

Think of a security program as nested layers of specificity:

  • Policy answers why and sets principles and long-term objectives (NIST SP 800-82r3).
  • Standard answers what — the specific, enforceable requirements that give policy teeth.
  • Procedure answers how — the ordered steps a person or system follows to satisfy the standard.
  • Playbook answers what do we do right now — a pre-authored, scenario-specific procedure bundle invoked at runtime, particularly for detection and response.

The further down this chain you go, the more concrete and actionable the document becomes.

When to use it

The exam frequently asks candidates to identify which document type is appropriate for a given situation, or to distinguish between adjacent types.

Document typeSpecificityMandatory or advisory?AudienceTypical trigger
PolicyHigh-level principlesMandatory (by authority)Whole organizationOrganizational objective
StandardSpecific requirementsMandatory (enforces policy)Roles implementing controlsCompliance measurement need
ProcedureStep-by-step instructionsMandatory or advisoryOperators performing a taskTask execution need
PlaybookScenario-specific instruction setMandatory at incident timeResponders handling an eventDetected security event

Key distinction: a standard specifies what must be true (for example, a minimum password length). A procedure specifies the sequence of actions to make it true. A playbook specifies the sequence of actions to take when a particular scenario is detected. NIST SP 800-160 Vol. 2 Rev. 1 notes that controls — the means of managing risk — encompass "policies, procedures, guidelines, practices, or organizational structures," which means each document type is itself a control artifact.

COMMON MISCONCEPTION

Candidates frequently treat "standard" and "policy" as interchangeable, or conflate "procedure" with "playbook." The exam exploits this by presenting a scenario and asking which document type would mandate a specific technical requirement — the answer is a standard, not a policy. Policy (NIST SP 800-82r3) addresses the "what" and "why" in technology-independent language; it does not itself specify technical thresholds. A standard operationalizes policy into measurable requirements. Similarly, a playbook is not simply a generic procedure — it is scenario-bound and typically invoked in response to a specific trigger (such as a detected attack), whereas a procedure can govern routine operations.

A related trap: candidates sometimes assume playbooks exist only for incident response. The underlying concept — a "predetermined set of instructions or procedures" invoked for a specific situation — applies broadly. However, its primary grounding in the NIST vocabulary is in the detection-and-response context.

How it shows up on the exam

Questions on this concept tend to be application-level: a scenario describes an organization that needs to enforce a specific technical requirement, or needs personnel to follow consistent steps during an event, and the candidate must identify the correct document type. The cognitive target is distinguishing prescriptive requirements (standard) from instructional sequences (procedure) from scenario-triggered instruction sets (playbook).

Signal phrases to watch for:

  • "…must enforce a specific configuration requirement across all systems" → standard
  • "…personnel need step-by-step instructions for performing a task" → procedure
  • "…incident responders need a predetermined set of actions to take when a specific attack is detected" → playbook

A common misconception — that policy is sufficient to mandate technical specifics — is the primary distractor in this question family. NIST SP 800-175A's definition of a standard as a document establishing requirements (not just principles) is the grounding distinction.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.