A “standard procedure” is a misnomer, since a standard distinctly different from a procedure.
In the context of good cybersecurity documentation, components are hierarchical and build on each other to build a strong governance structure that utilizes an integrated approach to managing requirements. Well-designed documentation is generally comprised of six (6) main parts:
Standards are mandatory requirements regarding processes, actions and configurations that are designed to satisfy Control Objectives. Standards are intended to be granular and prescriptive to ensure systems, applications and processes are designed and operated to include appropriate cybersecurity and privacy protections.
Procedures are a documented set of steps necessary to perform a specific task or process in conformance to an applicable standard. Procedures help address the question of how the organization actually operationalizes a policy, standard or control. Without documented procedures, there may be insufficient defensible evidence of due care practices. Procedures are generally the responsibility of the process owner / asset custodian to build and maintain but are expected to include stakeholder oversight to ensure applicable compliance requirements are addressed. The result of a procedure is intended to satisfy a specific control. Procedures are also commonly referred to as “control activities.”
While policies set the “what” and standards define “what level or criteria,” procedures explain the “how.” For example, a security policy might mandate that all employees use strong passwords, a standard might specify minimum password complexity and the procedure would describe how users create, change and securely manage those passwords.
