Framework structure
There must be a structured format when creating policies; otherwise, how would you know what you are looking for? The structure does not have to be difficult to implement, nor are we implementing the Dewey Decimal System. However, there should be a method to your madness.
As we look at the overall structure of how the policies, standards, and procedures should be laid out, it is important to know what goes into the document too. Policies should be high-level documents stating the intent for a task, or its why. Standards are mid- to low-level documents stating the what. Procedures should state how something is to be configured. If our objective is to be high level, then what is the point of writing the document? Third-party assessors, or your strategic partners, may want to view what is in your policies. The intention is to have the ability to share information without the need for a Non-Disclosure Agreement (NDA). In fact, you should write your policies in such...
