The PPPS of Documentation

Many companies and people get confused when it comes to policies, procedures, processes and standards.  Here is a short definition of each to help you understand the differences and how they work together.

Policy: Business rules and guidelines of a company that ensure consistency and compliance with the company’s strategic direction.  The Policies lay out the business rules under which a company, division or department will operate.  Policies are guidelines under which Procedures are developed.  Policies address what the Policy is and its classification, who is responsible for the execution and enforcement of the Policy, and why the Policy is required.

Procedure: Define the specific instructions necessary to perform a task or part of a Process.  Procedures can take the form of a work instruction, a desk top Procedure, a quick reference guide, or a more detailed Procedure.  Procedures usually are structured by subject (for example, system instructions, report instructions, or Process tasks).  A Procedure usually addresses only a single task.  This separation enables Procedure components to be compiled into special Procedure manuals for specific audiences, end users, and purposes.  Procedures detail who performs the Procedures, what steps are performed, when the steps are performed, and how the Procedure is performed.

Process: Related activities that produce a specific service or product.  The majority of Processes cross departments or functional areas.  Each Process designates the connect points and where it crosses department lines.  The documentation presents the total Process.  Processes indicate where there is a separation of responsibilities and control points.  They are also very helpful to identify Policy and Procedure requirements.  Processes address who is responsible to perform the Process (department, division), what major functions are performed, and when the function is triggered.

Standard:  Universally or widely accepted, agreed upon, or established means of determining what something should be.  Written definition, limit, or rule approved and monitored for compliance by an authoritative agency (or professional or recognized body) as a minimum acceptable benchmark.  A standard should make a policy more meaningful and effective.

—————————————————-

Chad Barr

Chad (@SharkByte) is as a Security Consultant. Chad has extensive experience in Information Security, project management and network administration. His industry certifications include:

• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Certified Internet Web Professional
• Certified Ethical Hacker (C|EH)
• PCI DSS Qualified Security Assessor (QSA)
• Payment Applications Qualified Security Assessor (PA-QSA)

http://www.chadmbarr.com