We have a question around the policies vs procedures.
Example: In the template ”Security Procedures for IT-department” under Change Management procedures, you have a comment saying: ”Delete if the change management policy constitutes a separate document”.
Shouldn’t the Change management policy and the Change management procedure be separate documents/have separate purposes (the why and the how).
- From your templates it seems like policies and procedures could be the same thing, since we don't need a change management policy if we include this as a procedure in the document Security Procedures for IT department?
- Is it okay to only have procedures or policies for certain controls?