Policies, procedures and guidelines

What are differences and similarities between these?

Answer: The main difference between them would be the issues covered. A "Security Policy" handles with security in general, covering multiple subtopics (e.g., physical security, logical security, financial security, etc.). An ISMS Security Policy handles with information security (e.g., protection of information confidentiality, integrity, availability, etc.) in the context of an Information Security Management System (for ISO 27001 this policy is known as Information Security Policy). A System-Specific Security Policy handles the security considering the specificities needed for the targeted system.

Regarding similarities, all of them have the purpose to define the rules and behaviors, regarding security, that are expected to be followed by the users. Their framework also would be the same (e.g., scope, references, rules, responsibilities, etc.).

It is important to understand that for IS O 27001, only the Information Security Policy is mandatory. Other policies may be needed as result of risk assessment or legal requirements.

These articles will provide you more information:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

2 - What about Manual & Procedures – where does this documents come in?

Answer: A procedure describes how a specific activity must be performed, while a manual is a set of policies and procedures. ISO 27001 does not require documented procedures (only when specific controls are identified as applicable as result of risk assessment), and we do not recommend the use of manuals, because generally they become too big and unpractical to read or use.

This article will provide you more information:
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

3 - What about guidelines & standards?

Answer: Guidelines are orientations about how a specific activity must be performed, not having the mandatory aspect of a procedures (they can be followed or not). Standards are references that must be followed regarding how a specific activity must be performed (for some organizations they are the same of procedures).

This article will provide you more information (Although it is ISO 9001 related, it concepts also can be applied to ISO 27001):
- How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/