Skip main navigation

Policy and Procedure Comparison

In this video, you will learn about the differences and dependencies between policies and procedures.
9.5
So let’s just take a little look at a comparison between policy and procedure. For the level of detail, we’ve said that policy is high-level and the procedure is low-level. The policy is a high-level statement of intent and the procedure is the low-level instructions as to how we meet the requirements of the policy. The policies are typically approved at board level by a senior manager within the organization. And procedures are typically approved at a much lower level within each business unit, within each business area. And again, we have that difference in focus there, with the policy addressing the what and the why, trying to generate the buy-in for us, explaining what we must do.
56.3
And the procedure looking at who must follow the procedure and how they follow the procedure in order to remain compliant with our identity and access management system requirements. Don’t forget we do need both of these to be in place within any structure to provide effective governance. It’s not enough just to have policies, it’s not enough just to have procedures, we require both for effective governance. Typically, these form part of our wider identity and access management structure. They may form part of a wider information security management system as well.
97.6
When we’re looking at our processes, procedures, we need to understand how we include these policies and procedures, how we adopt them, how we change them, how we review them, and how we dispose of them as well. These are no different to any other processes but are important as part of our overall governance. If we don’t review our policies and procedures on a relatively regular basis, then we run the risk of having a set of policies and procedures that no longer meet the needs of the organization. A typical review cycle for policies is annually. And that’s fairly common for policies. Procedures, also annually is common, but depends on the business function.
148.7
We may have some business areas, that through regulation or statutory requirements, change annually or every six months or quarterly. So this may change more or less often. It may– change by also be prompted through a change in the organization strategy, through changing the organization structure, or through a change in the organization’s systems and services. If we gain a new ERP system, then our procedures will almost certainly change. Our policies may change.

In this video, you will learn about the differences and dependencies between policies and procedures. These differences are important to know as they each require different information and result in different outputs necessary for successful IdAM.

Reflect and share: Can you share an instance where a change in procedure has resulted in a change in policy? This can be an example that you have experienced or one that you have learned about. Share in the comments below.

This article is from the free online

Cyber Security Foundations: Identity and Access Management

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education