Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £35.99 £24.99. New subscribers only T&Cs apply

Find out more

Policy and Procedure Comparison

In this video, you will learn about the differences and dependencies between policies and procedures.
So let’s just take a little look at a comparison between policy and procedure. For the level of detail, we’ve said that policy is high-level and the procedure is low-level. The policy is a high-level statement of intent and the procedure is the low-level instructions as to how we meet the requirements of the policy. The policies are typically approved at board level by a senior manager within the organization. And procedures are typically approved at a much lower level within each business unit, within each business area. And again, we have that difference in focus there, with the policy addressing the what and the why, trying to generate the buy-in for us, explaining what we must do.
And the procedure looking at who must follow the procedure and how they follow the procedure in order to remain compliant with our identity and access management system requirements. Don’t forget we do need both of these to be in place within any structure to provide effective governance. It’s not enough just to have policies, it’s not enough just to have procedures, we require both for effective governance. Typically, these form part of our wider identity and access management structure. They may form part of a wider information security management system as well.
When we’re looking at our processes, procedures, we need to understand how we include these policies and procedures, how we adopt them, how we change them, how we review them, and how we dispose of them as well. These are no different to any other processes but are important as part of our overall governance. If we don’t review our policies and procedures on a relatively regular basis, then we run the risk of having a set of policies and procedures that no longer meet the needs of the organization. A typical review cycle for policies is annually. And that’s fairly common for policies. Procedures, also annually is common, but depends on the business function.
We may have some business areas, that through regulation or statutory requirements, change annually or every six months or quarterly. So this may change more or less often. It may– change by also be prompted through a change in the organization strategy, through changing the organization structure, or through a change in the organization’s systems and services. If we gain a new ERP system, then our procedures will almost certainly change. Our policies may change.

In this video, you will learn about the differences and dependencies between policies and procedures. These differences are important to know as they each require different information and result in different outputs necessary for successful IdAM.

Reflect and share: Can you share an instance where a change in procedure has resulted in a change in policy? This can be an example that you have experienced or one that you have learned about. Share in the comments below.

This article is from the free online

Cyber Security Foundations: Identity and Access Management

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now