Policy Documents

Policy documents, a phrase used to describe policies, standards, and procedures, are distinct in the message they portray. All too often I have seen these documents 20 – 30 pages long, making it difficult to search for specific items. By breaking up these documents into separate policies, standards, and procedures we are able to make the documents smaller and easier to read. This also helps search for exactly what you are looking for.


Policies are meant to be high level documents which could be publicly displayed without giving away sensitive information. Policies provide vocabulary but most importantly intent. Policies should not go into detail on how to do a particular task or how a piece of technology would be configured.


Standards are meant to back up the intent depicted from the policy. It should detail the what should be configured for a particular IT resource, not how it is to be configured. For example, a standard would detail the various types of allowable configurations for encryption but not go into detail how to configure an IIS or Apache web server.


Procedures are low level documents used to tell someone how to configure a piece of technology. For example, a standard states that the organization cannot use certain types of encryption known to have vulnerabilities. A procedure will state how to configure a service to ensure it does not use those types of encryption algorithms.

Over the next few sections, you will learn what goes into a policy, standard, or procedure, and create a structure to easily find what you are searching for.

Next sections