Policies vs Procedures

Overview

Policies vs Procedures vs Standards talks about the detailed difference between these three.

Organizations need policies, procedures, and standards to control and mitigate risks effectively. The terms policies, procedures, and standards are often used interchangeably, though they are entirely different and have different purposes. In this article, you will learn more about the differences between these terms.

Policy

Policies are the rules and laws to be followed and serve as the foundation. A policy is a high-level statement document that defines “what” must happen. Policies must be formally reviewed and approved at least once a year.

For example, a policy can say, We must conduct a risk assessment every year to effectively prevent and mitigate risks.

Procedures and/or Standards

Procedures are living documents that are updated constantly. The procedure expands on the policy and provides details on “how” and “what” must happen. The procedure goes into detail to define who is expected to do what must happen and how they should proceed to get it done. The procedure should have clear step-by-step instructions to make it easy to replicate.

From the risk assessment policy, the procedure adds details on who performs the risk assessment, when it is performed, and how often it is performed.

The standards expand further on the procedures and provide details on the mechanisms, tools, or methods used to perform what must happen. The risk assessment standard reveals the location of the risk assessment and the tool used to perform the assessment (whether it’s Excel or a GRC tool like TrustCloud).

Summary

To recap:

• Policies are the laws and rules that establish what is expected.
• Procedures and/or standards provide the “how” to do what the law says.