Policies vs Procedures

Overview

Documentation rules the compliance world! If it is not documented, then it is not happening!

Companies need policies, procedures, and standards to control and mitigate risks effectively. The terms policies, procedures, or standards are often used interchangeably though they are entirely different and have different purposes. In this article, we will cover the differences between those terms:

Policy

Policies are the rules and laws to be followed and serve as the foundation. A policy is a high-level statement document that defines “what” must happen. Policies must be formally reviewed and approved at least once a year.

For example, a policy can say: We must conduct a risk assessment every year to effectively prevent and mitigate risks.

Procedures and/or Standards

Procedures are living documents that are updated constantly. The procedure expands on the policy and provides details on “how” the “what” must happen. The procedure goes into detail to define who is expected to do what must happen and how they should proceed to get it done. The procedure should have clear step-by-step instructions to make it easy to replicate.

From the risk assessment policy, the procedure adds details on who performs the risk assessment, when it is performed, and how often it is performed.

The standards expand further on the procedures and provide details on the mechanisms, tools, or methods used to perform the “what” must happen. The risk assessment standard reveals the location of the risk assessment and the tool used to perform the assessment (whether it’s excel or a GRC tool like TrustCloud).

Summary

To recap:

• Policies are the law and rules and establish the “what”
• Procedures and/or standards provide the “how” to do what the law says