Security policies, standards, procedures, and guidelines
Policies, standards, procedures, and guidelines form a quartet of organizational mechanisms in protecting information:
- Security policies are high-level statements that provide management intent and direction for information security. They describe the what of the description.
- Security standards provide prescriptive statements, control objectives, and controls for enforcing security policies. In a way, they provide the how of the description. They can be internally developed by the organization and/or published by standard bodies, such as National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), or country-specific standard bodies.
- Security procedures are step-by-step instructions to implement the policies and standards.
- Security guidelines provide the best practice methods to support security controls selection and implementation. They can be used in whole or part while implementing security standards.
For example, NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems provides procedures and guidelines for System security life cycle.
International Organization for Standardization (ISO) along with International Electro-Technical Commission (IEC) has published code of practice guidelines and a standard for Information Security Management System (ISMS). They are as follows:
- ISO/IEC 27002: Code of practice for information security. This standard provides a list of best practices an organization could adopt for security management.
- ISO/IEC 27001: This standard specifies the management framework required for Information Security and is a certifiable standard. Organizations can seek certification against this standard for their Information Security Management System (ISMS).