Relationship between policy and standardInformation Assurance, Governance, Risk and Compliance

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Information Assurance, Governance, Risk and Compliance Relationship between policy and standard

This topic contains 16 replies, has 10 voices, and was last updated by  davidmmorris 2 years, 6 months ago.

Viewing 17 posts - 1 through 17 (of 17 total)
  • Author
  • #74533


    Which answer will you choose?

    What is the relationship between policies and standards?

    a) Policies detail what should be done, and the standards detail how
    b) Policies describe the security vision, and standards detail what should be done.









    I selected “b” as well, but McGraw Hill says “a”. It cannot be “a”.



    Actually I’d go A. But then I see there being a third level of ‘procedures’ which is where the detailed ‘how’ would sit. As an example you might have a Policy statement that all users must be authenticated and access must be authorised. You may have Standards that describe the valid types of authentication and methods of authorisation, but for day to day operations you need a procedure which sets out how an Active Directory will be set up and managed.



    Both of those answers seem a bit off, but A is closest to what I would say “right” is. Instead of “standard,” I would say “standard operating procedure” would be the proper term that says how something should be implemented. I guess, technically, if you think of a standard, like EIA/TIA 568B, which is a standard for your regular straight-through patch cable, then yes, a standard does indeed specify how something should be done.



    Policy: A formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for a specified subject area. Policies always state required actions, and may include pointers to standards. Policy attributes include the following:

    Require compliance (mandatory)
    Failure to comply results in disciplinary action
    Focus on desired results, not on means of implementation
    Further defined by standards and guidelines

    Standard: A mandatory action or rule designed to support and conform to a policy.

    A standard should make a policy more meaningful and effective.
    A standard must include one or more accepted specifications for hardware, software, or behavior.

    Guideline: General statements, recommendations, or administrative instructions designed to achieve the policy’s objectives by providing a framework within which to implement procedures.

    A guideline can change frequently based on the environment and should be reviewed more frequently than standards and policies.
    A guideline is not mandatory, rather a suggestion of a best practice. Hence “guidelines” and “best practice” are interchangeable

    Procedures: Procedures describe the process: who does what, when they do it, and under what criteria. They can be text based or outlined in a process map. Represent implementation of Policy.

    A series of steps taken to accomplish an end goal.
    Procedures define “how” to protect resources and are the mechanisms to enforce policy.
    Procedures provide a quick reference in times of crisis.
    Procedures help eliminate the problem of a single point of failure.
    Also known as a SOP (Standard Operating Procedure)


    Apáti László

    Can you please list some general top-level policy here?
    Should they like these?
    “ensure that information is accessible only to those authorised to have access”
    “define an information classification scheme describing classes and how information of a particular class should be managed (stored, accessed, transmitted, shared, and disposed of)”

    From these procedures have to be derived?



    Guys, I have a question. Let’s take ISO 27001 for instance as the example of a “standard”. It is indeed an international standard. Does it detail “how” to implement an ISMS or “what” should be done to implement an ISMS. I say it’s “what”. The “how” is specified by ISO 27002 which is not a standard, rather a guideline. In that case, wouldn’t “a” be incorrect?


    Apáti László

    “How” is always contextual, and rapidly changing as technology develops.



    Didn’t understand. Pray elucidate.


    Apáti László

    A nice example would be enlightening me in a defined topic (i.e. backup, virus protection, anything)
    What is a top level policy, a policy, a procedure, a standard and a guideline considering one topic above?

    In my mind (correct me, only guessing more or less here!) on backup:
    – business requirement: the continuous business flow
    – top level policy: “we have to ensure that company data is available all the time”
    – a policy, derived from top level policy: “we need to backup company data fulfilling the business request”
    – a procedure for a policy “define data to backup; define RTO and RPO; set up scheduled backup, etc.”
    – a standard “for backup we need to have a dalily rotation of tapes, keep the last 10 sundays’ full backup; need to store a copy off-site, etc.”
    – a guideline “Make sure your off-site storage facility meets the environmental storage requirements for archive noted above”

    I’m really not sure here, please help me sorting this out! Maybe on an other topic as well!


    Apáti László

    Or the standard is the actual way how the company handles backup? (sw, settings, etc?)


    Apáti László

    This topic seems to be dead… 🙁




    An information security policy consists of high level statements relating to the protection of information across the business and should be produced by senior management.


    Standards consist of specific low level mandatory controls that help enforce and support the information security policy.



    thank you for the great input



    B but it is not as simplistic as that though

Viewing 17 posts - 1 through 17 (of 17 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?