Policy Vs Procedure

When discussing ISO27000, my friend Gary Hinson wrote:

The terms in the triangle or pyramid shape are generally listed in the reverse sequence, the sizes of each row reflecting the amount of documentation typically required at each level.

Policies are usually the shortest and most succinct, and are normally at the peak of the corporate governance structure (the ‘High level requirements’ as it says) hence they are typically shown at the top, even down here in the Southern hemisphere!

You could say that policy requirements “flow down=” or “cascade” to the lower levels, or that the lower levels “support” those “High level requirements”).

I have a simple rubric as far as the “short and succinct” policy statements go.
Yes, short, succinct AND UNAMBIGUOUS.

Have a wording that is clear. One or two short sentences. Strong verbs =
and clear, definitive nouns. Simple, elaborate language.

Now to be policy these statements need the approval or the Board of Directors.
The Board meets four times a year by a tradition[1] that pre-dates the advent of Christianity in Western Europe and you have a 90-second slot under “Other Business” just before lunch. The Board ware impatient, they want to get on to being wined and dined and you can be assured that no meaningful business will get done when they return, two hours later, inebriated and solumnescent, so you better get it right the first time.

The policy statement needs to be clear, unambiguous AND INARGUABLE. You don’t have time to explain it to the board and there isn’t time for them to discuss it. And this clarity will be useful when it comes to publishing the policy at the head of the ‘pyramid’ that Gary discusses.
Or, perhaps more practically from the POV of deployment, this diagram that I have as a click-able heading for each policy in my P&P Wiki model:

[1] If you don’t know what I’m talking about, never mind, but trust me, it
actually is so:

  • Lughnasadh (1 August)
  • Samhain (1 November)
  • Imbolc (1 February)
  • Beltaine (1 May)

About the author

Security Evangelist

Leave a Reply