Expert Advice Community

Guest

Policy vs. standard

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Policy vs. standard

What is the absolute difference between a policy and a standard?
0 0

Assign topic to the user

Assign

ISO 27001 FOUNDATIONS COURSE

Everything you need to know about ISO 27001.

ISO 27001 FOUNDATIONS COURSE

Everything you need to know about ISO 27001.

Guest
DejanK Jan 12, 2016
- There is no absolute difference since there is no absolute definition of these two. Generally, the policy defines certain intention and gives direction, whereas a standard specifies a standardized way of doing something.

Would an organization have a standard and policy co-existing?
- Yes, although a standard is not very often - more often you would see a policy and procedures co-existing.

For example, would there be an Asset Management standard and an Asset Management policy coexisting? Or as another example, an Access Control Standard and a Password Policy?
- Yes, this is possible, although more often you would have Asset Management Policy and then Asset Management Procedure.

Another dilemma question I have is – is it a good idea for an organization to have fairly complex ICT Security Policy (with sub-policies within in, for example, this single document would have acceptable us e, intranet, shared drive, email usage etc covered in it).
- I don't think this is a good idea because it will be very difficult to maintain such a document, and even more difficult for users to read and understand this policy. Much better solution is to have separate policies which describe certain areas - read this article for more explanation: https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
Because some subparts of this policy may not be relevant to the end user and hence we should take into consideration the question – do we publish this to an incumbent user to read it and sign it, when we some sub-parts do not apply to the user.
- When you have separate policies, you send only relevant policies to users, not all policies; further, it is not mandatory for them to sign them - it is enough you have some kind of a proof they have received them (e.g. through Document Management System)

That brings another question up, is it good practice to have two versions of a policy – one for general user use (used @ induction and to which the user signs to abide by during the employment period) and another one for high-level use?
- No, redundancy in documentation brings only problems - again, you should create separate documents for certain areas.
Quote
0 0
Guest
Guest post Jan 12, 2016
Thanks, Dejan!
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016