How to Create a Policy and Procedure Document?
Creating a “policy and procedure document” is a misnomer, since there is no justifiable reason to have policies and procedures combined into a single document.
- Policies are meant to be centrally managed by the cybersecurity team, where policies are generally static and rarely change; and
- Procedures are meant to be decentralized and managed at the department/team level, where procedures are expected to change with changes in technologies, staffing and evolving business processes.
Policies and Procedures are distinct but interrelated components of a cybersecurity governance structure. One component to this structure that often overlooked, or combined into the concept of “policies,” is Standards:
- Policies: High-level statement of management intent and expectations. Policies outline the objectives that must be achieved and the underlying reason for why. Policies are typically mandated by executive leadership and influenced by regulations;
- Standards: Measurable, granular requirements that support policies and compliance obligations (e.g., requiring "passwords be at least 12 characters, changed every 90 days"); and
- Procedures: Individual contributor-level instructions on how to conduct a series of actions (e.g., how to patch a server). Procedures operationalize both policies and standards, and they instruct daily tasks.
In summary, the governance hierarchy flows from Policy (what/why) to Standards (what/how specifics) to Procedures (step-by-step how-to).