- There is no absolute difference since there is no absolute definition of these two. Generally, the policy defines certain intention and gives direction, whereas a standard specifies a standardized way of doing something.
Would an organization have a standard and policy co-existing?
- Yes, although a standard is not very often - more often you would see a policy and procedures co-existing.
For example, would there be an Asset Management standard and an Asset Management policy coexisting? Or as another example, an Access Control Standard and a Password Policy?
- Yes, this is possible, although more often you would have Asset Management Policy and then Asset Management Procedure.
Another dilemma question I have is is it a good idea for an organization to have fairly complex ICT Security Policy (with sub-policies within in, for example, this single document would have acceptable us e, intranet, shared drive, email usage etc covered in it).
- I don't think this is a good idea because it will be very difficult to maintain such a document, and even more difficult for users to read and understand this policy. Much better solution is to have separate policies which describe certain areas - read this article for more explanation: https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
Because some subparts of this policy may not be relevant to the end user and hence we should take into consideration the question do we publish this to an incumbent user to read it and sign it, when we some sub-parts do not apply to the user.
- When you have separate policies, you send only relevant policies to users, not all policies; further, it is not mandatory for them to sign them - it is enough you have some kind of a proof they have received them (e.g. through Document Management System)
That brings another question up, is it good practice to have two versions of a policy one for general user use (used @ induction and to which the user signs to abide by during the employment period) and another one for high-level use?
- No, redundancy in documentation brings only problems - again, you should create separate documents for certain areas.