What’s the difference between a policy, a process, and a procedure?
It's very common for businesses to use the terms policy, process, and procedure interchangeably. However, in the world of cyber security and compliance, they each serve a distinct purpose. Organisations need to make sure they understand these differences, especially they want to comply with a security standard or framework.
A policy is a high-level statement of intent. It essentially outlines specifically what your organisation is committed to doing, and the reasons why. This is usually in response to a requirement outlined by a compliance standard, or an internal business objective.
A process explains what needs to happen, when it should be done, and who by. It connects the policy to the reality of business operations. Another way to define it would be a list of steps that achieve a specific outcome needed to support or meet a policy.
A procedure is the technical, detailed breakdown of how to carry out a specific aspect of a process. A procedure will provide the exact steps on how to complete a task so that the outcome is repeatable and expected.
Policy - "Our business will control access to systems based on need"
Process - "Access control will be implemented via account creation, with approval routes and workflows for approving changes to access.
Procedure - "Non-admin users can request permission changes by logging into the portal, choosing their desired level of access, providing a justification, then submitting it to their manager for approval"
Policy
A policy is a high-level statement of intent. It essentially outlines specifically what your organisation is committed to doing, and the reasons why. This is usually in response to a requirement outlined by a compliance standard, or an internal business objective.
Process
A process explains what needs to happen, when it should be done, and who by. It connects the policy to the reality of business operations. Another way to define it would be a list of steps that achieve a specific outcome needed to support or meet a policy.
Procedure
A procedure is the technical, detailed breakdown of how to carry out a specific aspect of a process. A procedure will provide the exact steps on how to complete a task so that the outcome is repeatable and expected.
Real-World Example
Policy - "Our business will control access to systems based on need"
Process - "Access control will be implemented via account creation, with approval routes and workflows for approving changes to access.
Procedure - "Non-admin users can request permission changes by logging into the portal, choosing their desired level of access, providing a justification, then submitting it to their manager for approval"
Updated on: 21/03/2025
Thank you!