What is the difference between policy and procedure?
While cybersecurity policies and procedures are designed to work together, there are differences that matter. Organizations use policies to communicate “what” and “why” by defining security goals and values, while procedures provide individual contributors with a step-by-step set of instructions describing “how” to implement a policy.
Procedures are a documented set of steps necessary to perform a specific task or process in conformance with an applicable standard. Procedures help address the question of how the organization actually operationalizes a policy, standard or control. Without documented procedures, there can be defendable evidence of due care practices.
Procedures are generally the responsibility of the process owner / asset custodian to build and maintain but are expected to include stakeholder oversight to ensure applicable compliance requirements are addressed. The result of a procedure is intended to satisfy a specific control. Procedures are also commonly referred to as “control activities.”
Other differences between policies and procedures include:
- Purpose: Policies set the direction and rules, while procedures provide implementation guidance.
- Detail: Policies are concise and general, while procedures are detailed and technology specific.
- Audience: Policies are for all personnel to understand expectations, while procedures are targeted at those individual contributors performing tasks.
- Flexibility: Policies tend to be stable, while procedures may change more frequently as technologies and business practices evolve.
ComplianceForge emphasizes that clear distinctions and alignment between policies and procedures are crucial to avoid confusion, ensure accountability and facilitate audits or compliance reviews.