Skip to content

Dated: 31-10-2024

Ch01 .WHAT is the Difference between an Information Security Policy, Sop, and Guideline

Policy

  • Formal and high level requirement for securing the organization and its IT assets (mandatory).
  • Scope is across organization so should be brief and focusing on desired results
  • Signed off by senior management
    Pasted image 20241031210538.png

Procedure or Standard Operating Procedure(SOP)

  • More detailed description of the process; who does what, when, and how
  • Scope is predominantly at a department level having specified audience
  • May be signed off by departmental head

Guideline

  • General recommendation or statement of best practice
  • Not mandatory
  • Further elaborates the related SOP

Standard

  • Specific and mandatory action or rule
  • Must include one or more specifications for an IT asset or behavior
  • Yardstick to help achieve the policy goals

In Practice

  • Policy recommended to be a single document applicable at the organizational level (wide audience)
  • Sub-policies may be defined at a departmental level
  • Policies and standards are mandatory (exception approval)

Examples

  • Information security policy
  • System administrator password sub-policy
  • User ID & Access Management SOP
  • Vulnerability Management standard
  • Social engineering prevention guideline
Post Assessment
Which of the following is the more detailed description of the process
  • Information
  • Standard
  • Procedure
  • Protocol
SOP stands for
  • Selected Operating Procedure
  • Small Operating Procedure
  • Secure Operating Procedure
  • Standard Operating Procedure