What are Policies, Standards, Guidelines and Procedures?

The Information Security Policy FrameworkWhat are Policies, Standards, Guidelines and Procedures?


In order to protect information, businesses need to implement rules and controls around the protection of information and the systems that store and process this information. This is commonly achieved through the implementation of information security policies, standards, guidelines and procedures. However, what exactly are these? This article will explain what information security policies, standards, guidelines and procedures are, the differences between each and how they fit together to form an information security policy framework.







An information security policy consists of high level statements relating to the protection of information across the business and should be produced by senior management.


The policy outlines security roles and responsibilities, defines the scope of information to be protected, and provides a high level description of the controls that must be in place to protect information. In addition, it should make references to the standards and guidelines that support it. Businesses may have a single encompassing policy, or several specific policies that target different areas, such as an email policy or acceptable use policy. From a legal and compliance perspective, an information security policy is often viewed as a commitment from senior management to protect information. A documented policy is frequently a requirement to satisfy regulations or laws, such as those relating to privacy and finance. It should be viewed as a business mandate and must be driven from the top (i.e. senior management) downwards in order to be effective.




Standards consist of specific low level mandatory controls that help enforce and support the information security policy.


Standards help to ensure security consistency across the business and usually contain security controls relating to the implementation of specific technology, hardware or software. For example, a password standard may set out rules for password complexity and a Windows standard may set out the rules for hardening Windows clients.




Guidelines consist of recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.  


Guidelines should be viewed as best practices that are not usually requirements, but are strongly recommended. They could consist of additional recommended controls that support a standard, or help fill in the gaps where no specific standard applies. For example, a standard may require passwords to be 8 characters or more and a supporting guideline may state that it is best practice to also ensure the password expires after 30 days. In another example, a standard may require specific technical controls for accessing the internet securely and a separate guideline may outline the best practices for using the internet and managing your online presence.




Procedures consist of step by step instructions to assist workers in implementing the various policies, standards and guidelines.


Whilst the policies, standards and guidelines consist of the controls that should be in place, a procedure gets down to specifics, explaining how to implement these controls in a step by step fashion. For example, a procedure could be written to explain how to install Windows securely, detailing each step that needs to be taken to harden/secure the operating system so that it satisfies the applicable policy, standards and guidelines.


The Information Security Policy Framework

Each document listed above has a different target audience within the business and therefore, should never be combined into one document. Instead there should be several documents, that together form the concept of an information security policy framework. This framework is illustrated in the diagram above, with each level of the framework supporting the levels above it.

In order to help cement this concept, let’s use an example to illustrate how all of these different framework pieces fit together.

  • A policy may state all business information must be adequately protected when being transferred.
  • A supporting data transfer standard builds upon this, requiring that all sensitive information be encrypted using a specific encryption type and that all transfers are logged.
  • A supporting guideline explains the best practices for recording sensitive data transfers and provides templates for the logging of these transfers.
  • A procedure provides step by step instructions for performing encrypted data transfers and ensures compliance with the associated policy, standards and guidelines.


Tagged as: , , , , ,

Leave a Response