Processes help maintain consistency and alignment with organizational objectives, while procedures ensure repeatability, compliance and quality control in daily operations.
- Process. A process is a high-level, end-to-end set of activities or steps designed to achieve a specific business or operational goal:
- Processes define what needs to happen;
- A process defines what needs to be done and often spans multiple functions or departments;
- Processes are usually described in broader terms and focus on inputs, outputs, roles and overall flow;
- For example, incident response processes will outline generalities on how an organization detects, analyzes, responds to and recovers from cybersecurity incidents.
- Procedure. A procedure is a detailed, step-by-step set of instructions that explain how to perform a specific task or part of a process:
- Procedures define how it is done;
- Procedures are much more granular and prescriptive, providing exact guidance to individuals on completing tasks correctly and consistently; and
- For example, an Incident Response Plan (IRP) contains procedures on how to collect forensic evidence or communicate with stakeholders during an incident.
