When I wrote about Policies, Processes and Procedures  in my last post, I got prompted to add two more related terms into the discussion: ‘standards’ and ‘guidelines’

The main reason was : these terms as well get mixed up or overlapped frequently with those terms I discussed about – especially in domains like Information Security.

Let us first look at ‘Standards’:

A few definitions as usual to start with (I am picking up those web definitions which are suitable to our context here):

  • a basis for comparison; a reference point against which other things can be evaluated
  • established or well-known or widely recognized as a model of authority or excellence
  • Something used as a measure for comparative evaluations

Now, there are at least two (definitely more are there) different levels these can be applied, when coming to standards:

  • Standards like ISO, BS, AS – against which organizational practices can be bench-marked, audited (for compliance/conformance)  and certified.
  • Technical standards (within organization- for instances) – which are norms set that need to be adhered to (in order to achieve quality, excellence, compliance etc), in the respective technical/operational implementations and practices.

While there is minimal or no confusions about the first level of standards, a question arises on the second type of standards: how they are different from policy?

In general, my thoughts on that are:

  • policies are like rules set by from the top of the organization, while standards operational/functional level norms (In many cases like Information security, finance etc, standards are also strictly mandated by the organization – where as in some other areas, standards might remain recommendations).
    • For example ( let me take an example related Information Security – an area where this confusion seemed to be more) : Anti-virus policy of the organization will set a mandate that all systems that are connected to the network of the organization X ‘shall’ have updated anti-virus program running on the same. Here, a standard can exist which details a) which anti-virus (make, version) should exist on desktops, laptops, servers, firewalls etc and their specific configurations (levels of protection, update intervals etc) 
  • policies set  guiding principles/framework under which the practices need to be established – where technical/operational standards will set specific norms that need to be adhered in relevant and applicable cases. Standards generally provide a common ground/platform that provide consistent and predictable quality and performance in specific technical/operational/functional areas.
  • Policies are usually not subject to frequent changes – but technical/operational standards can be subject to frequent changes, due to change in business environment, regulatory requirements, technology changes etc.

 Then,  there are ‘guidelines’:

  •  Advice or instructions given in order to guide or direct an action
  • Non-mandatory, supplemental information about acceptable methods for implementing requirements found in directives, processes, procedures, work instructions
  • A statement of desired, good or best practice.

These definitions clearly states that guidelines are those recommendations/best practices/information that definitely are desirable, but not mandated by the organization. They are, in most cases: ‘not mandated’, but ‘strongly recommended’ practices.