CISM: Policies and Standards

From Glitchdata
Jump to navigation Jump to search
Threat => Risk => Policy => Standards => Procedures /Guidelines

Policies, Standards, Guidelines, and Procedures are GOVERNANCE mechanisms.

  • Policy guides Standards
    • Policy => Standards
  • If there is no threat, then there is no risk, and a policy it not needed to address it
    • Threat => Risk => Policy


  • A policy is a principle that is used to set direction in an organisation. It can be a course of action to steer and influence decisions. The working of the policy must make the course of action mandatory and it must set the direction.
  • The Chief Information Security Officer CISO would more than likely be the primary author of the policies and, therefore, is not the appropriate individual to approve the policies.
  • Policy is a GOVERNANCE mechanism
  • Policies are developed in response to perceived threats.
    • No threat, No policy needed.
  • Policies drive Procedures
    • Policies => Procedures
  • Policies are typically not impacted by technology change.
  • Policy is usually not too detailed.


A standard sets the allowable boundaries for people, processes and technologies that must be met to meet the intent of the policy.

  • Typical more Standards than Policies
    • # Standards > # Policies
  • Standards is a GOVERNANCE mechanism
  • Standards change and are often adjusted to compensate for changes in technology and business processes.
  • Standards guide Procedures
    • If procedures are adhoc, then the standards need to be revised.
  • A standard can include required hardware and software mechanisms. A standard sets the allowable boundaries for software or hardware as well as people, processes and technologies.


  • A guideline is a suggested action that is not mandatory
  • A guideline is not mandatory and is more like a recommendation.


  • A procedure is a particular way of accomplishing something.
  • Procedures are usually detailed, step-by-step required actions.
  • Procedures are a GOVERNANCE mechanism
  • Procedures are designed at a more granular level and will require frequent modification.
    • Because procedures are more detailed, and can be technology specific, there are generally far moer procedures than standards or policies.
    • # Procedures > # Standards > # Policies
  • Review or modification of procedures will consume MAJOR effort.


  • CISM: Privacy Policy
    • MOST important component of a privacy policy is Notification
    • Privacy policies must contain notification requirements in the event of unauthorised disclosure and opt-out provisions.
    • Privacy policies may address liabilities from unauthorized disclosure. This is a SECONDARY component.