Which statement best distinguishes standards from guidelines?

The difference being tested is enforceability: standards are formal, mandatory requirements, while guidelines are recommended practices that are discretionary. Standards come from an authority—such as regulatory bodies or organizational policy—and compliance with them is expected or required, with penalties or audits if you don’t follow them. Guidelines, on the other hand, offer best-practice recommendations to help achieve security goals but aren’t binding; organizations can choose how closely to follow them based on risk, resources, and context. That’s why the statement that standards are mandatory and guidelines are discretionary is the best choice. For example, a standard might require the use of AES-256 for data at rest, a rule you must follow. A guideline might suggest enabling multi-factor authentication for sensitive access, but it might be negotiable depending on the situation. The other options imply that both are mandatory, or both are discretionary, which doesn’t align with how standards and guidelines typically function in policy and compliance contexts.