Policy vs. standard

- There is no absolute difference since there is no absolute definition of these two. Generally, the policy defines certain intention and gives direction, whereas a standard specifies a standardized way of doing something.

Would an organization have a standard and policy co-existing?
- Yes, although a standard is not very often - more often you would see a policy and procedures co-existing.

For example, would there be an Asset Management standard and an Asset Management policy coexisting? Or as another example, an Access Control Standard and a Password Policy?
- Yes, this is possible, although more often you would have Asset Management Policy and then Asset Management Procedure.

Another dilemma question I have is – is it a good idea for an organization to have fairly complex ICT Security Policy (with sub-policies within in, for example, this single document would have acceptable us e, intranet, shared drive, email usage etc covered in it).
- I don't think this is a good idea because it will be very difficult to maintain such a document, and even more difficult for users to read and understand this policy. Much better solution is to have separate policies which describe certain areas - read this article for more explanation: https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
Because some subparts of this policy may not be relevant to the end user and hence we should take into consideration the question – do we publish this to an incumbent user to read it and sign it, when we some sub-parts do not apply to the user.
- When you have separate policies, you send only relevant policies to users, not all policies; further, it is not mandatory for them to sign them - it is enough you have some kind of a proof they have received them (e.g. through Document Management System)

That brings another question up, is it good practice to have two versions of a policy – one for general user use (used @ induction and to which the user signs to abide by during the employment period) and another one for high-level use?
- No, redundancy in documentation brings only problems - again, you should create separate documents for certain areas.

Thanks, Dejan!