Policies and Procedures
Policies and Procedures are distinct but interrelated components of a cybersecurity governance structure. One component to this structure that often overlooked, or combined into the concept of “policies,” is Standards:
- Policies: High-level statement of management intent and expectations. Policies outline the objectives that must be achieved and the underlying reason for why. Policies are typically mandated by executive leadership and influenced by regulations.
- Standards: Measurable, granular requirements that support policies and compliance obligations (e.g., requiring "passwords be at least 12 characters, changed every 90 days").
- Procedures: Individual contributor-level instructions on how to conduct a series of actions (e.g., how to patch a server). Procedures operationalize both policies and standards, and they instruct daily tasks.
In summary, the governance hierarchy flows from Policy (what/why) to Standards (what/how specifics) to Procedures (step-by-step how-to).