The difference between Policies, Standards, Procedures and Strategies

Over the years I have written many policies, processes. strategies and standards and related documents.  These documents outline how a business operates and help when a team member requires a reference. so to answer a question: what is the difference between policies standards procedures and strategies?

The agony point for me is when a professional consultant does not know the differences between the document types and refers to one as another, the other as another and cannot grip the function of a specific document. In the meantime, steam billows from my ears while the consultant continues to sprout opinions on the various documents.

For the uninitiated here is my explanation of the difference between Policies, Standards, Procedures, Standards and related documents.

Policy document?

A policy sets out an agreed management policy which might refer to IT Security and Risks. However, it will not give any direction on how to execute this vision or strategy.

A set of policies are principles, rules, and guidelines formulated or adopted by a Business to reach its long-term goals. Policies are signed off by management and published in the Company’s preferred medium.

The writing of Policies is to influence and determine major decisions.

Processes and Procedures are the specific methods used to express policies in action in the daily operations of the Business.

What is a Process

It is a task, a procedure – it is NOT a Plan.

The ISO definition of a process is:

A process is a set of inter-related activities that turn inputs into outputs’

You MUST learn the process; know WHY you need it and How to perform the process end-2-end.

  • Process a high-level description of a series of inter-related tasks covering an entire business.
  • It is an internal, ongoing process that must be updated as per Policy guidelines
  • serves as a crucial guide for employees and managers.

Procedure 

A procedure contains more detail than a process but less detail than a work instruction. It tells users HOW to perform a series of sequential tasks to achieve a specific outcome.

Participants will complete a procedure from start to finish in one continuous time frame (no significant delays between steps).

Work Instructions (WI)

A WI contains a detailed description of a task. Its sole purpose is to explain step by step how to do a specific task.

Plan

IT IS NOT a Process

      • Organisations have Management Plans which outline WHAT you are going to do, it does not explain HOW you will perform a task.
      • The Plan determines precisely how resources are to be allocated and provides backup plans if resources are not available at a crucial time.
      • The Plan document outlines what components must be included to demonstrate How a process will work.
      • A plan is how you will move from A to B and should support your strategy by providing a method to reach B containing an acceptable balance of risk and reward

What is strategy?

A strategy document explains the strategy – how an organisation will move from point A to Point B

      1. How will you get there?
      2. Issues, problems
      3. Solutions and tools to get you to point B

A strategy is a solution to move from A to B taking into account any unforeseen issues and problems that may occur to slow your journey to B.

Your strategy is WHAT you want to do

Understanding the difference between a strategy and a plan allows you to make useful strategic planning decisions that separate the two.

What is the standard?

Standards are mandatory actions or rules that give formal policies support and direction. One of the more difficult parts of writing standards is getting a company-wide consensus on what standards need to be in place. This can be a time-consuming process but is vital to the success of your information security program.

      • Used to indicate expected user behaviour. For example, a consistent company email signature.
      • Might specify what hardware and software solutions are available and supported.
      • Compulsory and must be enforced to be effective. (This also applies to policies!)