Standard

A standard is a mandatory rule that translates broad policy intent into specific, measurable requirements — minimum password length, approved cipher suites, required baseline configurations. Standards are what make a policy auditable: “protect data in transit” (policy) becomes “TLS 1.2 or higher with approved ciphers” (standard). Because they’re mandatory, deviations require a formal exception, unlike advisory guidelines.