As a Technical Writer, I have written many policies, processes, strategies, standards and related documents. These documents outline how a business operates and provide help when a team member requires a reference.
I worked on a project where the PM insisted a document contained a process. When I said it was a strategy, he threw a hissy fit. He insisted and had no intention of listening. He is not the first who thought they knew better. In the meantime, steam billows from my ears while the consultant continues to sprout opinions on the various documents.
For the uninitiated, here is my explanation of the difference between Policies, Standards, Procedures, Standards and related documents.
A policy sets out an agreed management policy which might refer to IT Security and Risks. However, it will not give any direction on how to execute this vision or strategy.
A set of policies are principles, rules, and guidelines planned or adopted to reach its long-term goals. Management signed policies and published them in the Company’s preferred medium.
- Writing Policies is to influence and determine major decisions.
- Processes and procedures are the specific methods used to express policies in action in daily operations.
What is a Process?
It is a task, a procedure – it is NOT a Plan.
The ISO definition of a process is:
A process is a set of inter-related activities that turn inputs into outputs,
You MUST learn the process; know WHY you need it and perform the process end-2-end.
- A Process is a high-level description of a series of inter-related tasks covering an entire business.
- It is an internal, ongoing process updated annually, as policy guidelines serve as a crucial guide for employees and managers.
A procedure contains more detail than a process but less detail than a work instruction. It tells users HOW to perform sequential tasks to achieve a specific outcome.
Participants will complete a procedure from start to finish in one continuous time frame (no significant delays between steps).
Work Instructions (WI)
A WI contains a detailed description of a task. Its sole purpose is to explain how to do a specific task step by step.
IT IS NOT a Process
- Organisations have Management Plans which outline WHAT you are going to do; it does not explain HOW you will perform a task.
- The Plan determines how to allocate resources and provides backup plans if resources are not available at a crucial time.
- The Plan document outlines the components to show How a process will work.
- A plan is how you will move from A to B and should support your strategy by providing a method to reach B containing an acceptable balance of risk and reward.
What is strategy?
A strategy document explains how an organisation will move from point A to Point B.
- How will you get there?
- Issues, problems
- Solutions and tools to get you to point B
A strategy solves the move from A to B, considering any unforeseen issues and problems that may occur to slow your journey to B.
Your strategy is WHAT you want to do.
Understanding the difference between a strategy and a plan allows you to make sound strategic planning decisions that separate the two.
What is the standard?
Standards are mandatory actions or rules that give formal policies support and direction. Writing standards requires a company-wide consensus on what standards must be in place. It can be a time-consuming process vital to the success of your information security program.
- They are written to show expected user behaviour—for example, a consistent company email signature.
- Might specify what hardware and software solutions are available and supported.
- Compulsory and must be enforced to be effective. (This also applies to policies!)