What are Policies, Standards, Guidelines and Procedures?
What are Policies, Standards, Guidelines and Procedures?
In order to protect information, businesses need to implement rules and controls around the protection of
information and the systems that store and process this information. This is commonly achieved through the
implementation of information security policies, standards, guidelines and procedures. However, what exactly
are these? This article will explain what information security policies, standards, guidelines and procedures are,
the differences between each and how they fit together to form an information security policy framework.
An information security policy consists of high level statements relating to the protection of information
across the business and should be produced by senior management.
The policy outlines security roles and responsibilities, defines the scope of information to be protected, and
provides a high level description of the controls that must be in place to protect information. In addition, it
should make references to the standards and guidelines that support it. Businesses may have a single
encompassing policy, or several specific policies that target different areas, such as an email policy or
acceptable use policy. From a legal and compliance perspective, an information security policy is often viewed
as a commitment from senior management to protect information. A documented policy is frequently a
requirement to satisfy regulations or laws, such as those relating to privacy and finance. It should be viewed as
a business mandate and must be driven from the top (i.e. senior management) downwards in order to be
Standards consist of specific low level mandatory controls that help enforce and support the information
Standards help to ensure security consistency across the business and usually contain security controls relating
to the implementation of specific technology, hardware or software. For example, a password standard may set
out rules for password complexity and a Windows standard may set out the rules for hardening Windows
Guidelines consist of recommended, non-mandatory controls that help support standards or serve as a
reference when no applicable standard is in place.
Guidelines should be viewed as best practices that are not usually requirements, but are strongly
recommended. They could consist of additional recommended controls that support a standard, or help fill in
the gaps where no specific standard applies. For example, a standard may require passwords to be 8 characters
or more and a supporting guideline may state that it is best practice to also ensure the password expires after
30 days. In another example, a standard may require specific technical controls for accessing the internet
securely and a separate guideline may outline the best practices for using the internet and managing your
Procedures consist of step by step instructions to assist workers in implementing the various policies,
standards and guidelines.
Whilst the policies, standards and guidelines consist of the controls that should be in place, a procedure gets
down to specifics, explaining how to implement these controls in a step by step fashion. For example, a
procedure could be written to explain how to install Windows securely, detailing each step that needs to be
taken to harden/secure the operating system so that it satisfies the applicable policy, standards and guidelines.
The Information Security Policy Framework
Each document listed above has a different target audience within the business and therefore, should never be
combined into one document. Instead there should be several documents that together form the concept of an
information security policy framework. This framework is illustrated in the diagram above, with each level of the
framework supporting the levels above it.
In order to help cement this concept, let’s use an example to illustrate how all of these different framework
pieces fit together.
A policy may state all business information must be adequately protected when being transferred.
A supporting data transfer standard builds upon this, requiring that all sensitive information be
encrypted using a specific encryption type and that all transfers are logged.
A supporting guideline explains the best practices for recording sensitive data transfers and provides
templates for the logging of these transfers.
A procedure provides step by step instructions for performing encrypted data transfers and ensures
compliance with the associated policy, standards and guidelines.
Policies, Standards, Guidelines, Procedures/Processes
Saint Louis University has put in place numerous policies, guidelines, standards, standard operating procedures
(SOPs), and processes to ensure the security of University information and faculty, staff and students' data.
Policies and Standards
IT Documentation Framework Definitions
Policy: A formal, brief, and high-level statement or plan that embraces an organization's general beliefs, goals,
objectives, and acceptable procedures for a specified subject area. Policies always state required actions, and
may include pointers to standards. Policy attributes include the following:
Require compliance (mandatory)
Failure to comply results in disciplinary action
Focus on desired results, not on means of implementation
Further defined by standards and guidelines
Standard: A mandatory action or rule designed to support and conform to a policy.
A standard should make a policy more meaningful and effective.
A standard must include one or more accepted specifications for hardware, software, or behavior.
Guideline: General statements, recommendations, or administrative instructions designed to achieve
the policy's objectives by providing a framework within which to implement procedures.
A guideline can change frequently based on the environment and should be reviewed more frequently
than standards and policies.
A guideline is not mandatory, rather a suggestion of a best practice. Hence "guidelines" and
"best practice" are interchangeable
Procedures: Procedures describe the process: who does what, when they do it, and under what criteria. They
can be text based or outlined in a process map. Represent implementation of Policy.
A series of steps taken to accomplish an end goal.
Procedures define "how" to protect resources and are the mechanisms to enforce policy.
Procedures provide a quick reference in times of crisis.
Procedures help eliminate the problem of a single point of failure.
Also known as a SOP (Standard Operating Procedure)
Work Instructions: Describe how to accomplish a specific job. Visual aids, various forms of job aids, or specific
assembly instructions are examples of work instructions. Work instructions are specific.
Forms and Other Documents: Forms are documentation that is used to create records, checklists, surveys, or
other documentation used in the creation of a product or service. Records are a critical output of any
procedure or work instruction and form the basis of process communication, audit material, and process
TheKey DifferenceBetweena Policy,Process, &Procedure (andWhyitMatters ForYour Business!)
Successful businesses and organizations have systems. Every employee working for a company has a set of
rules to follow as they complete tasks. They may also have instructions that show them exactly how to
complete each task.
While it may seem like there is no difference in this employee system there are actually important differences
that determine the success of your company.
The problem for businesses is they often struggle to define three key elements:
Too often these three items are used interchangeably, but there are key details in each that make them
necessary on their own for a complete working system. In order to effectivelydelegate tasks to others it’s
important to have all three elements.
There is too much confusion surrounding policy, process and procedure. Here are the real definitions. (click to
It’s a common problem for a business to only have one or two of the three items. All three are necessary for
you to complete the task and especially important for delegating tasks.
Also, incorrectly defining each of the three items can cause confusion leading to further inefficiencies, which
cut down on productivity and profitability.
If you find yourself asking the question, “Why aren’t my workers understanding the process and why can’t they
keep up?” you may have an problem with policy, process and procedure.
How to Define and Create Policies, Processes and Procedures
In this article we will define each of the items and show you how to create all three so your business operates
smoothly and you can grow by passing tasks on to others.
Additionally, we will cover the differences between all three so you can see specific situations when each is
applied. This should give you a complete understanding of how to set up all three items for your business.
You’ll be on your way to operating more efficiently, which should lead to even more success.
Overview: Policy, Process and Procedure
Image Credit: KCC Group
Before we get into the details let’s take a step back and look at the big picture of policy, process and
Here are two examples of all three in action.
First, here is an example from the KCC Consultant Group including an image. The situation is a person that is
driving to a new location. In this situation the person goes through the system of driving, but in order to
successful complete the task of reaching the destination they need a policy, process and procedure.
The policy is the list of rules or the framework for the task. In the case of driving the policy is the rules and
regulations for driving.
The process is the outline of how to get to the destination. Imagine the map showing the driver where they are
starting and where they are ending.
Finally, the procedure is the list of exact instructions for every turn the driver needs to take to arrive at the
As you can see in this example the driver should have no problem reaching their destination efficiently. With all
three elements of the task in place they can avoid hindrance.
Another example is common today. Many businesses hire staff specifically to handle social media including
updates and interaction with followers. The task is for the social media manager to post updates to the various
social profiles and respond to messages.
The social media policy gives the manager guidelines and rules to follow when posting updates. One rule in the
policy may inform the manager to avoid responding to obvious spam messages. Another rule may inform the
manager not to post any obscene images.
The social media process is the overview of how social media updates are completed. The process makes it
easy for anyone, including new employees, to see what the task is and how to complete it. The social media
process will delegate certain responsibilities. For example, a blog post may have a writer, a designer (for
graphics) and a manager to share the post on social profiles. Each task within the overall process is listed.
Finally, the procedure gives detailed steps to the manager and others involved for completing the tasks. For
posting on a social media site the procedure will list the URL for the login. The next steps will be to login,
create the post, review it for any potential policy violations and finally hit submit to publish the post to the
Now, let’s go even deeper into each of the three elements of a task or a system.
Image Credit: striatic
Just like in business, Chess has a stated goal, but you have to follow the rules.
Repeatable tasks are essential in any business and organization. These tasks are those that have been tested
and honed over the years so they are efficient and profitable.
However, without guidelines and rules – the policy – there is room for error. When a new person comes on the
team and takes over a task they need to have a policy to follow so they don’t make avoidable mistakes.
Here is an example of the Cisco Social Media Policy. The first rule or policy is that employees must make it clear
that their social media thoughts are their own and not those of Cisco. That’s a common social media policy for
companies today. Another is to make no commitments on behalf of Cisco.
Safeway has an online marketing affiliate program. They have multiple policies for affiliates including a search
marketing policy. One item in the policy agreement is that no affiliates can purchase branded keyword phrases
on search engine advertising engines. No misrepresentation of the brand is allowed.
Google has a policy agreement for Gmail users. Rules include no sending messages in violation of CAN-SPAM,
imitating others and other items that would be considered malicious.
These are a few examples of how companies and organizations use policies to eliminate mistakes and keep
their businesses running efficiently. Policies are essential for many tasks in business. Anytime you have
someone doing something a policy (along with the next two items) can improve your system.
Take Action: Now it’s time for you to make use of this information. These businesses have created policies that
have made their organizations more efficient. The reason for rules and framework is to eliminate mistakes
others have already made. It allows new people on the team to learn faster and get right into the work.
Look at a task in your company that is repeatable and inefficient. Create a policy of rules and guidelines. This is
the first step to eliminating confusion when delegating tasks.
Image Credit: Social Text
The process is the high level view or the map of the task. Remember the road map example. The map is the
process laying out how you will achieve the goal or complete the task. It’s essential to have a process so an
employee or partner can see what is expected and that the task can be accomplished.
D3 Creative has a published email design process. It shows prospective clients how the company creates an
email design, but it’s also a great process to share with designers on the team that will be designing the emails.
You can see that it’s a high level overview of each step from beginning to end.
Here is the process for designing a website published by the University of Texas. It’s another great example of
how processes are high-level maps that show people the beginning and end of the task they are to complete.
Dolcera has a nice layout of its business research process. You can easily see the high level steps. It’s a guide
for how to complete the steps if you are joining the team to work on the task.
Here’s a fun one from McDonald’s. It’s an overview of the process for how to prepare food for commercials.
The video is an example of the process. You can show the video to someone new and they would be able to
see the high level map to preparing food for commercial shoots.
Take Action: Now it’s time to create the process for the task you choose in the previous step. Once you have
the policies in place you need to layout the process or the high level map of how the task will be completed by
the person on your team. If the task calls for multiple people the process will include a map that includes the
timing and transfer of steps. The overview gives everyone involved a clear idea of what will occur.
Image Credit: Robert S. Donovan
The procedure is the step-by-step instructions for how to complete the task. This would be the exact turns a
driver would take as they drive to reach a destination. This is the final step in the policy, process and procedure
Google has a procedure for posting a blog post on Blogger. It includes a step-by-step video that makes it easy
for viewers to follow the steps to complete the task – posting a new blog post.
Here is an example of how to work in MailChimp. It’s a basic procedure, but a great example of how even the
little things in business can be documented and given to your team members to carry out, saving you time for
Here’s another one on how to send a private message on Reddit. Again, it’s a simple procedure, but one that
becomes even easier with documentation of the step-by-step process.
Take Action: Now it’s time to complete the system. Create a complete step-by-step procedure for the task
you’ve been working on up to this point. It’s the final item that will give you everything you need to delegate
work to others.
All Three: Policies, Processes and Procedures
As we said earlier, all three of these items need to be present in order for a system to work. It’s difficult for
anyone to complete a task without having each item. The system eliminates mistakes and makes the operation
Creating effective policies, processes and procedures eliminates mistakes. (click to tweet this)
Google has many different policies, processes and procedures. For example, a common task for people have
today is uploading a video to YouTube. YouTube has a policy for uploading content and participating in the
community. The policy is a set of guidelines and rules to follow when uploading videos. This page is the
process. It’s a general overview or map of how to upload a video. Each of the items listed, like the how to
upload page, are the procedures you need to follow to finish the task.
Another example is Basecamp, the popular co-working software. The Terms of Serviceagreement is the set of
guidelines for using the software. Each task must follow these guidelines. Here is the Projects 101 page. If your
task is to get started with Basecamp you can see the map of that task on the left sidebar. When you’re ready
for the first step, the set of instructions on the right guide you through step-by-step. That’s the process and
Florida State College has a pretty good example of all three items for its social media program. They provide
policies and rules along with an overview of best practices or a high level view of the process for using social
media. There are also exact step-by-step procedures for implementing social media presences on behalf of the
The University of Montana has a complete system for reviewing its programs. There are rules for those that will
review the programs. The main page is an overview of the process and each page has details about completing
Take Action: Complete your system. Finish off the policy, process and procedure. Review it to make sure you
would be able to understand everything. Then pass it along to someone else and see how he or she does.
Create Your Policies, Processes and Procedures Using This Method
Image Credit: ArtNeedleThreadStitches
First, create a policy for the task of your choice. For example, answering email. Let’s say you are a busy person
and you don’t have time to filter your own email. We’ll create a system using the method above.
Your policy will have rules and guidelines for filtering your email inbox. The first rule might be to never send an
email or a response that commits long-term contracts on your behalf. Another rule could be never
misrepresenting oneself for personal gain.
The process is a high level map of how a person will manage your email. It will outline how to take one email as
an example and how to filter it for viewing, for deleting or for response.
Finally, the procedure will document the exact steps to take to filter emails. You’ll include exactly what you
want to have happen for specific types of emails.
Setting up these systems is a lot of work up front, but it can save you a large amount of time in the long run
opening you up to grow your business or to do other more enjoyable things.
In this example, a law firm knew how to gain new customers, but they couldn’t deal with the growth. They
brought in a company to help setup policies, processes and procedures and the company thrived. Average
monthly-billed fees increased 244% in two years. Total hours worked increased 259% showing how well new
team members were able to come on board and operate as the company grew.
As you can see, it’s important to have an understanding of policy, process and procedure.
Once you have this system in place it will be easier to hire the right employees.
Businesses have an issue with scale. In order to scale, every business needs to create systems. These systems
use the policy, process and procedure method because it works.
Identify a task you currently have in your business. Create a policy or a set of rules and guidelines. Outline the
overall process. From there, create the exact steps someone will take to complete the task.
This is how businesses scale and if you want to scale your business it’s time to start creating systems.
Do you need further help creating business systems? Try SweetProcess for FREE. You can document policies,
processes and procedures easily and effectively.
Differentiating between policies, standards, procedures and technical controls
What are the differences among policies, standards, procedures and technical controls?
Policies are long-term, high-level management instructions on how the organization is to be run and generally
are driven by legal concerns (due diligence). Policies reflect an organization's goals, objectives, culture and are
intended for broad audiences. They also are mandatory and are applicable to anyone -- employee, contractor,
temporary, etc. Special approval if the policy is not to be followed (an exception) should be documented. (Yes,
a policy for exceptions is necessary!). Policies drive standards, procedures and technical controls. Example:
Passwords will be used.
Standards define the process or rules to be used to support the policy such as system-design models or
specific software or methodologies. Standards can be directed to a broad audience or limited to specific
groups or individuals (i.e., software developers), are of limited duration and reflect organizational change or
environmental changes. Like policies, standards are mandatory and require special approval if the standard is
not to be followed. Example: Passwords will be constructed of 6-8 alpha-numeric characters.
Procedures are specific instructions (ordered tasks) for performing some function or action. Procedures are of a
somewhat short duration, are mandatory and they reflect organizational change or environmental changes.
Example: To change your password, type your old password, then a front slash and then your new password.
Technical controls are mechanisms used to regulate the operations to meet policy requirements
(countermeasures). Technical controls can be volitile particularly in the distributed environment when hackers
are gracious enough to find holes in technology and point them out to the user community!
Policy vs. Procedure: A Guideline
A campus-wide effort is underway to recast and revitalize the Campus Administrative Manual (CAM) into a
more coherent set of chaptered policy statements organized around the several operational divisions of the
This guideline, "Policy vs. Procedures" has been developed as an aid to those involved in drafting and reviewing
proposed policy statements for inclusion in the new publication known as "Campus Administrative Policies"
(CAP). The emphasis in the CAP is on policy, not procedures.
Policy: The formal guidance needed to coordinate and execute activity throughout the institution. When
effectively deployed, policy statements help focus attention and resources on high priority issues - aligning and
merging efforts to achieve the institutional vision. Policy provides the operational framework within which the
Procedures: The operational processes required to implement institutional policy. Operating practices can be
formal or informal, specific to a department or applicable across the entire institution. If policy is "what" the
institution does operationally, then its procedures are "how" it intends to carry out those operating policy
III. DISTINGUISHING CHARACTERISTICS.
The distinctions commonly drawn between policy and procedures can be subtle, depending upon the nature of
the organization and the level of operations being described in the statements. Nevertheless, there are
common characteristics that can help discern policy from procedures (or the practices used to implement
policy). They are:
Widespread application Narrow application
Changes less frequently Prone to change
Usually expressed in broad terms Often stated in detail
Statements of "what" and/or "why" Statements of "how," "when" and/or sometimes "who"
Answers major operational issue(s) Statements of "how," "when" and/or sometimes "who"
IV. TYPICAL EXAMPLES.
Here are some examples out of CAM to help underscore the distinctions between policy and procedure:
CAM 640 Student Financial Aid: The Financial Aid Office is responsible for the administration and resource
coordination of the university's student financial aid program which covers all scholarships, loans, grants,
fellowships, assistantships, student stipends, and work-study. A standard application called the Student Aid
Application for California is required for most of the financial aid programs. There is also an established filing
period for priority consideration. This period is January 1 through March 1.
Comment: The first sentence represents a clear statement of policy that the FAO has certain responsibilities.
The second sentence relates more to procedures. The third and fourth sentences might be either policy or
procedure depending upon the level of detail needed to fully state the policy.
CAM 341.2 Support Staff Employees: Evaluations for a majority of support staff employees are conducted
after completion of three, six, nine and twelve months of service during the probationary period. Once
permanency is achieved -- usually at the end of one year of probation -- performance evaluations are
completed annually by the supervisor. For administrative/professional employees in some collective bargaining
units, performance evaluations are completed after six, twelve, eighteen, and twenty-four months of service,
and annually thereafter. (See Support Staff Employee Performance Evaluations Forms 138 and 139, available in
the Personnel Office.)
The supervisor will use one of the Support Staff Employee Performance Evaluation Forms to evaluate support
Comment: The first paragraph is policy. The follow-on parenthesis to that paragraph and the second one-
sentence paragraph are more procedure than policy.
CAM 541.4 Policy for Receipting Gifts: The procedures for receipting gifts are contained in the Fund Raising
and Public Affairs Policy and Guidelines. Generally all gifts will be centrally receipted by the University
Development Services Office.
Comment: The section title indicates a policy statement is to follow. But the first sentence is merely a reference to
another document on procedures. The second sentence is a policy statement.
Understanding Policies, Standards, Guidelines, and Procedures
A plethora of documentation exists in the operation of any organization. Management uses this documentation
to specify operating and control details. Consistency would be impossible without putting this information into
Organizations typically have four types of documents in place:
Policies These are high-level documents signed by a person of significant authority (such as a corporate
officer, president, or vice president). The policy is a simple document stating that a particular high-level control
objective is important to the organization's success. Policies may be only one page in length. Policies
require mandatory compliance.
The highest level of people in charge is the officers of upper management. Chief executives, financial
officers, and operating officers are the principal issuers of policies.
Standards These are mid-level documents to ensure uniform application of a policy. After a standard is
approved by management, compliance is mandatory. All standards are used as reference points to ensure
organizational compliance. Testing and audits compare a subject to the standard, with the intention of
certifying a minimum level of uniform compliance.
Public standards include the International Organization for Standardization (ISO), Sarbanes-Oxley, and
most government laws.
Guidelines These are intended to provide advice pertaining to how organizational objectives might be
obtained in the absence of a standard. The purpose is to provide information that would aid in making
decisions about intended goals (should do), beneficial alternatives (could do), and actions that would not
create problems (won't hurt). Guidelines are often discretionary.
Procedures These are "cookbook" recipes for accomplishing specific tasks necessary to meet a standard.
Details are written in step-by-step format from the very beginning to the end. Good procedures include
common troubleshooting steps in case the user encounters a known problem. Compliance with established
procedures is mandatory to ensure consistency and accuracy. On occasion a procedure may be deemed
ineffective. The correct process is to update the ineffective procedure by using the change control process
described later. The purpose of a procedure is to maintain control over the outcome.
Figure 1 illustrates the hierarchy of a policy, standard, guideline, and procedure.
Figure 1: The relationship between a policy, standard, guideline, and procedure
Difference between Guideline, Procedure, Standard and Policy
Jun 11, 2014
Share on LinkedIn
Share on Facebook
Share on Twitter
We come across these terms quite often and we find lot many people using them in a wrong way. Guideline is
simply to give an overview of how to perform a task. Procedure tells us step by step what to do while standard
is the lowest level control that can not be changed. Policy is a high level statement uniform across organization.
Let’s explore these terms individually and develop a better understanding:
A piece of advice on how to act in a given situation
Recommended but Non Mandatory Control
Example: Employment Discrimination Guidelines, Screening Guideline
Extras: ‘Guide’ + ’Lines’ meaning Instructions for guiding purposes only
A series of detailed steps to accomplish an end
Step by step instructions for implementation
Example: Standard Operating Procedures (SOP’s), A Medical Procedure
Extras: derived from ‘Process’; it’s an established way of doing something
Acceptable level of quality or attainment
Quantifiable Low Level Mandatory Controls
Example: Standard of Living, Standard Size
Extras: ‘Yardstick’; we don’t make or write standards, we follow them
Recommended High Level Statement protecting information across business
Business rules for fair and consistent staff treatment and ensure compliance
Example: Dress Code Policy, Sick Leave Policy, Email and Internet Policy
Extras: ‘Police’; ensure discipline and compliance