What Are Policies and Procedures?

In the information security industry, policies and procedures refer to the documentation that describes how your business is run.

What is a policy?

A policy is a set of rules or guidelines for your organization and employees to follow in order to achieve a specific goal (i.e. compliance). Effective policies answer questions about what employees do (such as directions, limits, principles, and decision-making guidance) and why they do it.

What is a procedure?

A procedure is the counterpart to a policy; it is the instruction on how a policy is followed. It is the step-by-step instruction for how, when, and where the policies outlined above will be achieved.

A policy defines a rule, and the procedure defines who is expected to do it and how they are expected to do it.

The main takeaway: a policy defines a rule, and the procedure defines who is expected to do it and how they are expected to do it.

Why Are Documented Policies, Procedures, and Protocols Important?

Many companies reluctantly approach policies and procedures, overlooking their fundamental role. It’s not about conforming to industry best practices or becoming a faceless corporate entity; policies and procedures clarify management’s objectives and the processes involved.

From our experience at Global Standards, the main distinction between a small and medium-sized business doesn’t pertain to revenue or workforce size.

Rather, it depends on management investing their time in formulating, implementing, and upholding policies and procedures.

Why are these so critical to company success?

Companies with mature policies, procedures, and systems are easier to audit, have a better understanding of their security posture and risk, and generally just seem to be operating far more sustainably than those who haven’t paid much attention to governance.

3 Reasons Why Companies Avoid Policies and Procedures

Small business’ management generally has the same set of objections to writing down a set of policies and procedures, all relating to difficulty, company culture, and time restraints.

But, let’s remember: the benefits outweigh the pain of policies and procedures. Let’s explore the top three reasons why companies may avoid developing policies and procedures.

1. It’s Hard To Write Policies and Procedures

Most companies without mature policies and procedures are operating fairly well otherwise they wouldn’t still be in business. It’s easier to define security from the very beginning, but that doesn’t mean it’s too late if you start later.

Sometimes, the main concern centers on the challenge of putting policies and procedures into writing, but many people are afraid they’ll reveal any mistakes. Start by assessing your current situation, and then take a pragmatic approach to where you want to go.

While you may not meet the highest standards in some areas, allowing embarrassment to prevent you from documenting policies is missing the point.

Understanding your current practices is essential for identifying real business risks, establishing your future path, creating an accurate budget, and effectively handling unexpected situations

Hint If your practice isn’t “correct,” but you’re honest about it, it’s far less of a problem than if you don’t have anything written down at all.

2. Policies and Procedures Will Change My Company

Writing everything down, putting your hands on formal processes, and setting expectations force you to sacrifice some flexibility. These extra additions do add a bit of overhead and may result in necessary changes to corporate structure, company culture, revenue pipeline, or “informal, but really good” processes to support the requirements you’ve laid out. 

Depending on your existing structure, you may even discover you need some additional staff to handle new responsibilities, or some processes might move a bit slower.

For example, with new policies and procedures implemented, your network engineer now needs management to sign off on a firewall change. 

Your staff may not be able to simply call and get a new permission to some additional part of the network. That’s going to add some time and maybe even a little frustration to the process, right?

Alternatively, how much would you lose if you lost the only employee who understood exactly why your firewall is set up the way it is? Without writing these processes down, you create massive vulnerabilities. People, training, standards, applications – how much is that little bit of overhead worth if it ensures you have a handle on what’s going on inside of your company, your networks, and your enterprise?

You can mitigate the change somewhat by writing your company culture into your policies and procedures. 

Nowhere is it enforced that policies and procedures must be horribly formal, boring-to-read documents filled with legalese and pain. What makes people want to work there?

Hint Fit your policies and procedures to your company culture, your business, and how your people interact. This will minimize the hardship of implementing them and help preserve what makes your organization unique.

3. There’s No Time to Write Policies and Procedures

This is the most valid argument. In a world of lean staff, fast turnaround, and an emphasis on doing a lot with a little, finding the time for governance may be extremely difficult. 

However, any management book, essay, or whitepaper, would all agree that if you follow the process, defined policies and procedures will improve your business at every level.

You simply can’t pass any formal audit without them. The time to do the work and document your policies and procedures has to be found.

If you can commit to establishing and enforcing your policies, you’ll be shocked at the short-term win in how easy an audit becomes, and even more impressed with the long-term advantages you gain. 

Your operations will be less stressful, your people will have more direction and, if done well, you’ll finally know exactly what it is you’re managing and why.

Ultimately, it’s clear that while writing and enforcing companywide policies and procedures might seem daunting at first, the benefits far outweigh the concerns. 

From keeping everyone on the same page to ensuring consistency and compliance, these guidelines are the glue that holds it all together. So, don’t be too quick to dismiss the idea – embrace those policies and procedures and watch your business thrive.