What is standard procedure?

What is standard procedure?

A “standard procedure” is a misnomer, since a standard distinctly different from a procedure. In the context of good cybersecurity documentation, components are hierarchical and build on each other to build a strong governance structure that utilizes an integrated approach to managing requirements. Well-designed documentation is generally comprised of six (6) main parts:

Policies establish management’s intent;
Control Objectives identify leading practices (mapped to requirements from laws, regulations and frameworks);
Standards provide quantifiable requirements;
Controls identify desired conditions that are expected to be met (requirements from laws, regulations and frameworks);
Procedures / Control Activities establish how tasks are performed to meet the requirements established in standards and to meet controls; and
Guidelines are recommended, but not mandatory.

Standards are mandatory requirements regarding processes, actions and configurations that are designed to satisfy Control Objectives. Standards are intended to be granular and prescriptive to ensure systems, applications and processes are designed and operated to include appropriate cybersecurity and privacy protections.

Procedures are a documented set of steps necessary to perform a specific task or process in conformance to an applicable standard. Procedures help address the question of how the organization actually operationalizes a policy, standard or control. Without documented procedures, there can be defendable evidence of due care practices. Procedures are generally the responsibility of the process owner / asset custodian to build and maintain but are expected to include stakeholder oversight to ensure applicable compliance requirements are addressed. The result of a procedure is intended to satisfy a specific control. Procedures are also commonly referred to as “control activities.”

While policies set the “what” and standards define “what level or criteria,” procedures explain the “how.” For example, a security policy might mandate that all employees use strong passwords, a standard might specify minimum password complexity and the procedure would describe how users create, change and securely manage those passwords.

Governance Risk & Compliance (GRC) Content

Secure Controls Framework (SCF)

NIST 800-171 & CMMC - Where Do I Start?

Editable Policies & Standards Templates

Editable Procedures Templates

Cybersecurity Supply Chain Risk Management

NIST 800-171 Compliance

Risk Management

Data Protection (Privacy) & Secure Engineering

Vulnerability & Patch Management

Incident Response

PCI DSS Compliance

NIST 800-171 & CMMC Compliance

Premium GRC Content (GRC Importable)

Cybersecurity Policies, Standards & Procedures

Cybersecurity Supply Chain Risk Management

Privacy & Data Protection (GDPR, CCPA & more)

Risk Management Bundles

Subscriptions

Common Compliance Requirements

Alignment With Secure Practices

Free Guides

Cost Savings

US Federal Data Security Laws & Regulations

US State Data Security Laws & Regulations

International Data Security Laws & Regulations

SCF Licensed Content Provider (LCP)

SCF Certifications

Individual Certifications

Controlled Unclassified Information (CUI)

Why Choose ComplianceForge?

Industries Served & Client References

Multiple Company Discount

Product Comparison: DSP vs CDPP

What is standard procedure?