What is the difference between security policies, standards and procedures?

Sometimes the nomenclature used to define information security policies and related documentation can be confusing.  Much of that confusion comes from the fact that the information security industry often uses these terms interchangeably.   At Information Shield, we adopt the following definitions that have proven effective over the years:

Information Security Policies are high-level business rules defining what the organization will do to protect information.  Standards are more detailed statements about how the organization will implement the written policies.

Standards provide more detailed requirements for how a policy must be implemented. Standards would, for example, define the number of secret key bits that are required in an encryption algorithm. Policies, on the other hand, would simply define the need to use an approved encryption process when sensitive information is sent over public networks such as the Internet.

Procedures are specific operational steps or manual methods that workers must follow to implement the goal of the written policies and standards.  For example, many information technology departments have specific procedures for performing backups of server hard drives. In this example, a policy could describe the need for backups, for storage off-site, and for safeguarding the backup media. A standard could define the software to be used to perform backups and how to configure this software. A procedure could describe how to use the backup software, the timing for making backups, and other ways that humans interact with the backup system.

Policies are intended to last for up to five years, while standards are intended to last only a few years. Standards will need to be changed considerably more often than policies because the manual procedures, organizational structures, business processes, and information systems technologies mentioned in standards change so rapidly. For example, a network security standard might specify that all new or substantially modified systems must be in compliance with International Standards Organization (ISO) standard X.509, which involves authentication of a secure communications channel through public key cryptography. This standard is likely to be revised, expanded, or replaced in the next few years.