Policies vs Procedures: The Foundation of GRC

The Documentation Hierarchy

Effective GRC (Governance, Risk, and Compliance) requires a clear hierarchy of documents. Each layer serves a distinct purpose:

Document Type	Purpose
POLICIES	What we require and why
STANDARDS	Specific, measurable requirements
PROCEDURES	How we do it (step-by-step)
GUIDELINES	Recommendations and best practices

This hierarchy matters because auditors (and customers) expect traceability: Policy → Standard → Procedure → Evidence.

Policies: The "What" and "Why"

Definition

A policy is a high-level statement of management intent regarding a specific area. It defines what the organization requires and why it matters.

Characteristics

• Approved by leadership (C-level or board)
• Broadly applicable across the organization
• Relatively stable (changes infrequently)
• Mandatory for all employees
• Written in audit-ready language

Example: Access Control Policy

"All access to company systems shall be authorized, authenticated, and logged. Access rights shall be granted based on the principle of least privilege and reviewed quarterly."

Notice: this doesn’t explain how to grant access. It establishes intent.

Standards: The "Must"

Definition

Standards define specific, measurable requirements that must be met to comply with a policy. They set the bar for compliance.

Characteristics

• Quantifiable and testable
• Technology-specific when needed
• Regularly updated as technology evolves
• Mandatory within their scope

Example: Password / Authentication Standard

"All user passwords must:

• Be at least 14 characters long
• Contain uppercase, lowercase, numbers, and symbols
• Be changed every 90 days
• Not be reused within the last 12 passwords"

This is measurable. You can audit it.

Procedures: The "How"

Definition

Procedures are step-by-step instructions for performing specific tasks. They translate policies and standards into actionable guidance.

Characteristics

• Detailed and specific enough to follow
• Role-based (who does what)
• Regularly tested and updated
• Living documents that reflect actual practice

Example: New Employee Access Procedure

1. HR submits access request form to IT via ServiceNow
2. IT verifies manager approval within 24 hours
3. IT creates account with role-based group membership
4. IT enables MFA and sets temporary password
5. IT notifies employee and manager via email
6. Employee completes security training within 7 days
7. IT activates full access upon training completion

Guidelines: The "Should"

Definition

Guidelines are recommendations and best practices. Unlike policies and standards, they’re not mandatory.

Characteristics

• Advisory in nature
• Flexible based on context
• Educational purpose
• Help decision-making in ambiguous situations

Example: Remote Work Guidelines

"When working remotely, employees should:

• Use a private, secure workspace
• Avoid public Wi-Fi when possible
• Use a privacy screen in public spaces
• Lock their device when stepping away"

The policy-to-reality test (use this)

Audits and reviews often fail because documents don’t match operations.

For any policy statement, ask:

• Who does this?
• How often?
• Where is it tracked?
• What evidence exists next week if someone asks?

If you can’t answer these, you need a procedure (or you need to simplify the policy).

Why the hierarchy matters

For auditors

Auditors love clear documentation hierarchies because they can trace: Policy → Standard → Procedure → Evidence
This demonstrates intentional governance, not accidental compliance.

For employees

Executives read policies; IT teams follow procedures. Match the document to the audience.

For maintenance

Separating concerns makes updates manageable:

• Policy changes = rare, high-approval
• Procedure changes = frequent, operational

How this ties into frameworks, gap analysis, and continuous compliance

If you’re pursuing a framework, this hierarchy becomes your operating backbone:

• SOC 2: /frameworks/soc-2
• ISO 27001: /frameworks/iso-27001

Gap analysis only works when documentation reflects reality:

• Next read: /knowledge-hub/gap-analysis-factors

And continuous compliance is keeping these documents aligned as your business changes:

• Next read: /knowledge-hub/continuous-compliance-explained

How CyberPolicify helps

Building a complete documentation hierarchy is overwhelming. CyberPolicify streamlines this:

• Policy templates for every major topic
• Standard templates with industry benchmarks
• Procedure templates with step-by-step guidance
• Mapping between document levels (policy ↔ standard ↔ procedure)
• Versioning and review tracking to reduce documentation drift

Build your GRC foundation in hours, not months.