Policy and Procedure Comparison

So let’s just take a little look at a comparison between policy and procedure. For the level of detail, we’ve said that policy is high-level and the procedure is low-level. The policy is a high-level statement of intent and the procedure is the low-level instructions as to how we meet the requirements of the policy. The policies are typically approved at board level by a senior manager within the organization. And procedures are typically approved at a much lower level within each business unit, within each business area. And again, we have that difference in focus there, with the policy addressing the what and the why, trying to generate the buy-in for us, explaining what we must do.

And the procedure looking at who must follow the procedure and how they follow the procedure in order to remain compliant with our identity and access management system requirements. Don’t forget we do need both of these to be in place within any structure to provide effective governance. It’s not enough just to have policies, it’s not enough just to have procedures, we require both for effective governance. Typically, these form part of our wider identity and access management structure. They may form part of a wider information security management system as well.

When we’re looking at our processes, procedures, we need to understand how we include these policies and procedures, how we adopt them, how we change them, how we review them, and how we dispose of them as well. These are no different to any other processes but are important as part of our overall governance. If we don’t review our policies and procedures on a relatively regular basis, then we run the risk of having a set of policies and procedures that no longer meet the needs of the organization. A typical review cycle for policies is annually. And that’s fairly common for policies. Procedures, also annually is common, but depends on the business function.

We may have some business areas, that through regulation or statutory requirements, change annually or every six months or quarterly. So this may change more or less often. It may– change by also be prompted through a change in the organization strategy, through changing the organization structure, or through a change in the organization’s systems and services. If we gain a new ERP system, then our procedures will almost certainly change. Our policies may change.