When I wrote about Policies, Processes and Procedures in my last post, I got prompted to add two more related terms into the discussion: ‘standards’ and ‘guidelines’
The main reason was : these terms as well get mixed up or overlapped frequently with those terms I discussed about – especially in domains like Information Security.
Let us first look at ‘Standards’:
A few definitions as usual to start with (I am picking up those web definitions which are suitable to our context here):
- a basis for comparison; a reference point against which other things can be evaluated
- established or well-known or widely recognized as a model of authority or excellence
- Something used as a measure for comparative evaluations
Now, there are at least two (definitely more are there) different levels these can be applied, when coming to standards:
- Standards like ISO, BS, AS – against which organizational practices can be bench-marked, audited (for compliance/conformance) and certified.
- Technical standards (within organization- for instances) – which are norms set that need to be adhered to (in order to achieve quality, excellence, compliance etc), in the respective technical/operational implementations and practices.
While there is minimal or no confusions about the first level of standards, a question arises on the second type of standards: how they are different from policy?
In general, my thoughts on that are:
- policies are like rules set by from the top of the organization, while standards operational/functional level norms (In many cases like Information security, finance etc, standards are also strictly mandated by the organization – where as in some other areas, standards might remain recommendations).
- For example ( let me take an example related Information Security – an area where this confusion seemed to be more) : Anti-virus policy of the organization will set a mandate that all systems that are connected to the network of the organization X ‘shall’ have updated anti-virus program running on the same. Here, a standard can exist which details a) which anti-virus (make, version) should exist on desktops, laptops, servers, firewalls etc and their specific configurations (levels of protection, update intervals etc)
- policies set guiding principles/framework under which the practices need to be established – where technical/operational standards will set specific norms that need to be adhered in relevant and applicable cases. Standards generally provide a common ground/platform that provide consistent and predictable quality and performance in specific technical/operational/functional areas.
- Policies are usually not subject to frequent changes – but technical/operational standards can be subject to frequent changes, due to change in business environment, regulatory requirements, technology changes etc.
Then, there are ‘guidelines’:
- Advice or instructions given in order to guide or direct an action
- Non-mandatory, supplemental information about acceptable methods for implementing requirements found in directives, processes, procedures, work instructions
- A statement of desired, good or best practice.
These definitions clearly states that guidelines are those recommendations/best practices/information that definitely are desirable, but not mandated by the organization. They are, in most cases: ‘not mandated’, but ‘strongly recommended’ practices.
Leave a Reply