Problem solve Get help with specific problems with your technologies, process and projects.

Standards vs. policies

As part of a security team, we have developed a suite of information security policies for the corporation. We...

are now in process of developing standards for some of our platforms. What is the real difference between policies and standards, and how detailed should standards be? Are you able to provide any examples?

The three main terms I see in policy development are policies, standards and procedures. To me, policies are the very high level statements that govern an organization. An example policy might be that all users must maintain strong, unique passwords for their system accounts. A corresponding standard for this policy could be that all passwords must be at least eight characters long and contain a combination of upper and lowercase letters, numbers and symbols. Procedures are the detailed steps showing how to implement the stated policy. This should be very detailed, providing exact command line syntax or screenshots showing how to implement this policy.

For more information on this topic, visit these other SearchSecurity resources:
Ask the Expert: Differentiating between policies, standards, procedures and technical controls
Best Web Links: Law, Public Policy and Standards
Best Web Links: Security Policy and Infrastructure

This was last published in June 2002

Dig Deeper on Information security policies, procedures and guidelines

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.