The terms "policy," "procedure," and "standard" get used interchangeably, but they serve distinct purposes within an organization. Understanding these differences clarifies expectations and improves how security documentation gets written and followed.
Policies: The Guiding Principles
Think of policies as the "why" behind what you do at work. They establish the overall goals and core values that guide an organization's actions. Policies are high-level statements that set the direction and provide a framework for decision-making. For example, a company policy might state a commitment to diversity and inclusion, environmental sustainability, or customer satisfaction.
TL;DR: Policies: What needs to be done and why.
Procedures: The Step-by-Step Guide
Procedures are the "how-to" manuals that translate policies into action. They provide detailed instructions on completing specific tasks or processes per the organization's policies. Procedures ensure consistency and efficiency by outlining the expected steps involved. Imagine a procedure for handling customer complaints or processing expense reports. These procedures detail the specific actions employees should take at each stage.
TL;DR: Procedures: Steps on how to do things.
Standards: The Benchmark for Quality
Standards define the "what" - the specific criteria or benchmarks to be met. They establish a level of quality or performance that is to be expected. Standards can apply to various areas, from product development and safety protocols to communication styles and data formatting. For instance, a company might have a dress code standard or a quality standard for manufactured goods.
TL;DR: Standards: Specific criteria that must be met.
An Analogy to Help You Remember
Imagine building a house. The policy is your overall vision - a comfortable and energy-efficient home. The standards are the specific building codes and material specifications you must follow. Finally, the procedures are the detailed construction plans outlining how to frame the walls, install the wiring, etc.
How They Work Together
Policies, procedures, and standards form a hierarchy:
- Policy establishes the commitment (what and why)
- Standard defines the measurable requirements (what specifically)
- Procedure provides the implementation steps (how)
For example:
- Policy: "Customer data must be encrypted"
- Standard: "AES-256 encryption for data at rest, TLS 1.3 for data in transit"
- Procedure: "Step-by-step guide for configuring encryption on databases and APIs"
When building your GRC documentation, ensure all three layers exist and align. A policy without supporting procedures is aspirational. Procedures without a policy lack authority.
Need help building your policy framework? Our GRC Advisory services include policy development and documentation. Let's talk.
