Policy VS Procedures 1547

  • Hi,
    I would like to know the difference between policy and procedure?
    Can I have a policy that includes the procedure or it should be separate document?
    Thank you,

  • Hi Kate and welcome to forums 🙂
    Policy - Provides general guidelines within an organization. For example, a company may develop a policy that defines how employees can use the Internet at work.
    Procedure - Provides a more focused step-by-step approach for accomplishing an objective. For example, a company might establish a procedure for how programmers are to fix application system errors after hours using a step-by-step set of standards.
    Other Links
    Search Google using this keyword: difference between policy procedures
    One good link on this

  • Thanks for the link it is great.
    Can I have a policy document that includes the procedure or it should be two separate documents?

  • Our company produces ‘policies and procedures’ manuals. It seems to work well for us. Because they are so interrelated, it only makes sense to include them in the same document. For Sox control documenting purposes, it is also good, because you assign risk to areas based on their policies, and then taylor the procedures to mitigate those risks.
    Hope this helped.

  • Can I have a policy document that includes the procedure or it should be two separate documents?
    Yes, as the policy represent the overall control objective and procedures will back this up with more details on a step-by-step basis. This is very common, as I used to write policies, procedures, and standards from a security standpoint. They all go hand-in-hand.

  • Is it not too much information for the user to get in the same document?
    If I build a document including policy and procedure, should I show a separation between the two in my document or not?
    Thank you so much. 🙂

  • Hi,
    A great article on ‘Writing Clear Policies and Procedures With Playscript’ by J. Richard Fleming may be found at the following URL:
    Please be sure to insert www. in front of the link.
    Hope this further helps,

  • Most of the times end users need to accept the policies as part of the employment. This is good reason to keep policies simple and straight. Also policies are approved and circulated by senior management or C- level guys and they want to keep them simple always.
    Procedures to meet a policy can vary and can be tailored for each department/region. They can also be approved by department/division heads rather then senior management or C level guy. They need frequent modifications/revisions (based on technology process change etc) and its better to keep them at department level. You certainly don’t want a modified policy document every 3 months to be circulated to everyone for signoff.
    Its always better to keep policies and procedures separate because of these issues.
    There is also something called standards/guidelines and you may want to look them up.

  • thank you.

  • Calvin shares some important points in the development of policies 🙂 They’re similar to guidelines I’ve used in the past and I’ll expand some on his excellent points:

    1. Policies should be written so that they are easily understood by everyone in the organization. Keep it to a sentence or two and use the ‘KISS Principle’ (keep it simple) 😉
    2. They should also be written in a high-level and generic manner so that you constantly do not have to change them as technology or business practices evolve in your organization.
    3. Policies are written to help control human behavior and encourage best practices within the organization.
    4. Policies need to be reasonable and realistic also. This is key because if you make them too strict, they become meaningless.
      Example – A policy that’s too restrictive might be ‘Employees must use the Internet for business reasons only’ … A better version might read ‘Employees must use the Internet primarily for business purposes.’
    5. Try to avoid negative language in policies where you can. In the example above, it could have read ‘Employees must not use the Internet for personal use’. This negative tone creates resistance right away. By putting policies in a more positive light, it’s more encouraging to the employees and you’ll get better compliance, rather than folks trying to fight the system.
    6. Policies should be reviewed at least annually to see if business or legislative changes have surfaced the need to add or change any of them
    7. Policies and Procedures should be kept separate. Policies shouldn’t change often, but procedures could change often based on technology, business, or workflow changes.
    8. A good place to publish these is on the corporate Intranet (that’s what I used to do rather than email or paper distributions). You may have to mail or post paper copies if some employees don’t use PCs. This way you can easily maintain this as a ‘living and breathing’ document. You can also email links to communicate them to others.
    9. Policies should be communicated by email annually, so that new hires are also aware of this. Our organizaiton requires an annual acknowledgement by the employees signifying that they have read and will adide by them.
    10. All policies must be approved and supported by senior management or they are meaningless.
    11. The Data Security or Information Security department should review these also from a technology standpoint.
    12. The corporate legal area must also approve all policies. This ensures policies are on a firm legal foundation and they would be fairly administered. In rare cases where an former employee may sue their employers, you want these to stand up in court also.
    13. It’s usually good to include general consequences for policy violations also. It might read ‘Violations of these policies will be subject to disciplinary actions by your manager or supervisor’. This leaves some room for turning around improper behavior without having to fire an employee, if the violations aren’t serious enough to warrent dismissal.
    14. If possible, it’s sometimes good for HR to do quick 30 to 60 minute presentations once every few years (esp. if you see clear violations and there’s a need).

  • There is also something called standards/guidelines and you may want to look them up.
    As Calvin shares, there’s also standards. Below is a short definition:
    Standards - These define ‘how things must be done’ in complementary support of policies and procedures. They are usually more detailed and define best practices that everyone must adhere to. This creates consistency for better technical support. Likewise, standards can be developed on the business side to ensure consistencies there. They usually must be followed, unless there is a written management exception.
    As a Technical example, a company might specify the use of standards in PC desktops or laptops, remote connectivity with VPNs, Operating Systems, Anti-virus software, password complexity and change frequency, etc. …

  • so, policy are general, procedure are more specific and Standard are more specific than procedure, is that rigt?
    Do I need a standard if I already have procedure document?

  • Hello, Kate:
    so, policy are general, procedure are more specific and Standard are more specific than procedure, is that rigt?
    I think of ‘policies’ as being general, but internally promulgated by management.
    ‘Procedures’ are specific steps of a process in which the policy is adminstered or adhered within a particular company/organization/operating unit.
    ‘Standards’, on the other hand, are guidelines from external sources. These ‘standards’ can range from best practices (developed over time and widely accepted within an industry/business segment) to official guidance (which are quasi or real requirements). Standards are often the guidance for management’s policies and may be additional guidance for steps (procedures) of a process that a organization follows.
    Do I need a standard if I already have procedure document?
    The ‘standards’ are just guides and there are many cases in which there are none. However, as with GAAP (a type of standard), if your policies and procedures are covered (by someone either officially or unoffically) then the policies and procedures should fall within these guidelines.
    How closely you follow the ‘standards’ in developing policies/procedures depends on the sourse of the standard (that is, the degree to which the source is ‘official’).
    Hope this helps.

Log in to reply