Ask the Expert

Standards vs. policies

As part of a security team, we have developed a suite of information security policies for the corporation. We are now in process of developing standards for some of our platforms. What is the real difference between policies and standards, and how detailed should standards be? Are you able to provide any examples?

    Requires Free Membership to View

The three main terms I see in policy development are policies, standards and procedures. To me, policies are the very high level statements that govern an organization. An example policy might be that all users must maintain strong, unique passwords for their system accounts. A corresponding standard for this policy could be that all passwords must be at least eight characters long and contain a combination of upper and lowercase letters, numbers and symbols. Procedures are the detailed steps showing how to implement the stated policy. This should be very detailed, providing exact command line syntax or screenshots showing how to implement this policy.

For more information on this topic, visit these other SearchSecurity resources:
Ask the Expert: Differentiating between policies, standards, procedures and technical controls
Best Web Links: Law, Public Policy and Standards
Best Web Links: Security Policy and Infrastructure

This was first published in June 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: