I know what you’re thinking right now. I think I can sum it up in one word.

BORING

So why do I write an article about something boring? Wouldn’t it be better to write about something exciting?

Probably.

But I created this newsletter for people who actually care about cybersecurity, and like it or not, this is a crucial not only for certifications exams such as CISSP but for nearly every organization there is.

I agree, it might be boring, but understanding policies, standards and procedures, their relationship and how they are created and implemented is where the real security is created.

So, if you’re serious about this field, just hear me out!

I’ll save you endless hours figuring it out on your own.

First, the definitions

Before we dive into things like why it matters or what type of policies there are, let’s take a look at what those terms even mean and what the relationship between them is.

Because I am 100% sure you’ve already heard them used incorrectly.

Let’s get it over with:

Policy:

A high-level statement that defines what must be done and why. It reflects management’s intent and direction.

Standard:

A mandatory rule that defines what exactly must be used or followed — tools, technologies, or configurations.

Procedure:

A detailed set of steps that explain how to implement a policy or standard in practice.

Guideline:

An optional recommendation or best practice. They help us to cover the grey areas and provide the necessary flexibility.

It didn’t hurt, right?

But I can imagine that it didn’t tell you much if you didn’t know the definitions before. Don’t worry, as always, I have pictures and real-world examples to make it easier for you to get an idea of what’s going on.

As you can see in the picture above, the general concept is quite simple. Executive management creates a general statement that lays out the goals and assigns responsibilities.

Based on these policies, we create standards, which are nothing but specific requirements that allow us to meet our policy goals.

And based on those requirements, we create procedures that offer clear, step-by-step tasks that need to be performed to meet those requirements and therefore policy goals.

Sounds easy enough, doesn’t it?

If it isn’t, stay with me. Real-world example always helps!

But before we get to that, let’s try a quick quiz:
Can you spot what this is an example of?

Let me know in the comments why you chose your answer!

Leave a comment

Real-World Analogy: A secure coffee shop

Policy

Only authorized staff are allowed to access the cash register.
→ (High-level rule from management – "what & why")

Standard

The cash register must be protected with a lock that meets Security Grade A.
→ (Defines the required level of security – "what exactly")

Procedure

1. Take the key from the manager’s office.

2. Unlock the register before opening.

3. Lock the register during breaks or when unattended.
   → (Step-by-step instructions – "how")

Guideline

It's recommended to change the lock code every 3 months and avoid sharing keys.
→ (Optional best practice – "suggested but not mandatory")

Summary

If you’re reading this, congratulations! I know it isn’t the most exciting topic in the field, but if you’re serious about cybersecurity, you will sooner or later realize that well-defined policies, standards, and procedures are the core of organizational security.

Rest assured, it isn’t just some nonsense that you need for certification exams, but something you actually need in the real world.

I hope that after reading this article, you have a good understanding of what it is for and what’s the relationship between all of these terms.

Do you?

Let’s find out. I prepared a 10-question quiz for you!

💬 Got 8/10 or more? Drop your score in the comments.

Leave a comment

📤 Know someone who still confuses policy with procedure? Send this their way.

Share