Many organizations struggle to meet compliance requirements for proper documentation.
What are the components of a good policy and procedure document?
Here are some guidelines:
| Component | Definition | Example |
| Policy | A policy is a high-level statement of management intent that formally establishes requirements to guide decisions and achieve rational outcomes. | We will properly maintain our network and assets |
| Control Objective | Control Objectives are targets or desired conditions designed to ensure that policy intent is met. | The organization applies software patches in a timely manner |
| Standard | Standards are formally established requirements regarding processes, actions, and configurations. | Systems must be patched within 30 days of the vendor’s release date |
| Procedure | Procedures are a formal method of doing something based on a series of actions conducted in a certain order or manner. | Workstations and servers will be patched on (a certain day of each month or week) by (assignment). |
| Control | A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. | A vulnerability management plan is developed and implemented |
| Metric | A quantifiable measure that is used to track and assess the status of a specific information security process. | % infrastructure assets missing critical/high patches |
Your documentation can include many separate documents or a single comprehensive document. There is no right or wrong on the approach as long as each area required by your framework program or compliance mandate has documentation that includes these key elements.
