editione1.0.0
Updated October 9, 2023confusion One of the common misconceptions about policy, standards, procedures, and playbooks is that these words are synonyms—and probably amount to boring tomes of legalese that are best left rotting in a drawer.
Although the legalese part has some element of truth in it (especially in older, more formal security and governance circles), policy, standards, procedures and playbooks are all very different types of document, each with an important part to play in leading security in your company.
Policies set the company’s high-level expectations of how systems, data, processes, and technology will be protected within an organization.
Standards are the implementation guidelines that turn policy from principle to practice.
Procedures and playbooks are documents that turn your policies and standards into actions, and may include tools and step-by-step instructions.
Let’s take a deeper look.
Figure: A visualization of the different kinds of security strategy documents.
For most people, their experience of policy has been the documents you receive from an insurance company or finance team. Pages and pages of very complex, multi-clause sentences that cover the rules and regulations governing every possible permutation of a scenario. These are long, impenetrable documents that have left an entire generation scared of policy.
Thankfully, policy doesn’t have to be like that at all.
A good security policy outlines the domains that are expected to be considered throughout the organization and sets guiding principles to which all standards, procedures, and playbooks are expected to align.