Policies vs. Procedures in Cybersecurity

Policies and procedures play a big part in cybersecurity and compliance, and since the cost of noncompliance has shot up almost by half in the last decade, it’s not something you can overlook. However, these two elements often overlap, leading to confusion. So, what’s the difference between policies vs. procedures?

Individual policies are the foundational stone of a company’s overarching cybersecurity policy. It’s the reason why employees must act a certain way. Procedures, in contrast, are how employees must proceed when these policies are implemented. Both are part of the information security policy base.

Are procedures more important than policies? What should companies look for first, the why or the how? Definitions often change with time, and companies use different definitions all the time. Understanding what policies and procedures are with examples is the best way to move forward.

Policy vs. Procedure: A Comparison

  • Policy. It explains the company’s needs and goals regarding cybersecurity. Policies explain why you’re doing something while briefly stating how to achieve that, though more detailed instructions often come later. Attorneys, executives, and managers are in charge of creating and shaping policies. In a way, policies are a set of principles.
  • Procedure. You know why you’re doing something – now it’s time to see how. That’s when procedures come along. This element explains how to achieve the desired result talked about in policies. At the same time, everything listed under procedures should work as clear-cut and straightforward instructions, leaving no room for interpretation or mistakes. In a way, procedures are a set of instructions.

Policies: A Definition

Policies are the first block in the cybersecurity policy base of a company. It’s what defines how employees, managers, and executives have to act and the goals of your organization. A small change in one of your policies could create a huge ripple effect in your company.

That’s why rushing to create policies is the wrong way to go at it. Sure, you need them for your company to work the right way – but that doesn’t mean poor policies are better than none.

Proper policy creation requires lawyers, executives, and managers to sit down and talk. These people should also consult with employees and the IT department to better shape the result.

Simply put, policies will determine how everyone will act – and whether you’re compliant with regulations or not.

3 Policy Examples

1. Password Protection

The easiest way to provide a policy example is to talk about one that plays a part in pretty much every organization you can think of, no matter how big or small.

What does a password policy look like? First, it establishes that you need to create a password for your account. Then, it determines it should be a strong one. Last, it surely explains that you can’t use it anywhere else, nor can you share it with others.

Simple, right? Well, not quite! What does strong mean when creating a password? You also have to talk about that. You should also explain why sharing passwords it’s wrong (it leads to leaks).

Wait! Your policy should be simple and straightforward – and any important details on how to do things should be in the next section, procedures.

2. Security Clearance

Employees don’t have access to every part of the network, let alone the company. Who gets access to where and why should be explained in one of the many company policies.

Clearance is one of the biggest concerns for security and compliance. It defines access to sensitive data and other parts of your organization. It’s important to create that policy as soon as possible because of that.

It’s key for large companies with a lot of rooms and moving parts – and it’s equally important for small companies and startups. Setting up your access hierarchy from the get-go should save you a lot of headaches down the line.

3. Software Use

Any employee using a device is using software. Your company should determine what kind of software anyone can use – and what’s mandatory to install.

For example, let’s say everyone receives a work computer. Some would be quick to install their favorite software, visit fun websites, and check social media. That would be a disaster for cybersecurity!

A proper software policy should establish certain apps and sites are off-limits to protect the company’s cybersecurity. At the same time, it should make installing certain software mandatory, such as having an antivirus and a firewall.

What antivirus and firewall to install (as well as how to do it) should be covered in the procedures part.

Why Are Policies Important in Cybersecurity?

Policies are the foundational stone of a company’s cybersecurity. It clearly establishes why employees, managers, and C-level executives have to act the way they must when using the company’s resources.

Take a look at the examples stated above. Something as simple as having a proper password protection policy will prevent employees from using weak passcodes (such as “password” and “123456”) or no password at all, making your company’s defenses stronger by default.

In a way, policies are the first line of defense against threat actors for the human elements. Devices have software (e.g., antivirus, firewall, etc.) – but you can’t install those in humans. Teaching them the right way to act is the solution.

Procedures: A Definition

Procedures are a set of detailed instructions that explain how to achieve a desired result, often expressed under policies. It’s a how-to manual for employees, managers, and executives to follow.

What’s the best way to establish procedures? Make sure they’re simple and straightforward. Having gray areas here is a huge mistake: leaving room for interpretation leads employees to make costly mistakes that may end up in a data breach.

Does that mean procedures should be a step-by-step guide all the time? Not necessarily. Each department needs to receive different procedures: the guys at sales are not as tech-savvy as the IT department, so each one should receive different procedures regarding malware detection, for example.

3 Procedure Examples

1. How To Create a Secure Password

We’ve stated in the policies part of this article how important password policy is. However, we haven’t explained what a strong password looks like or how to create one.

That’s when procedures come to play! After stating that users need a strong password, it’s time to explain how to create one.

A strong password should be more than 10 characters long and a combination of lowercase and uppercase characters as well as numbers and special characters. At the same time, it shouldn’t be reused or shared. Writing it down or storing it in plaintext is also forbidden.

That’s how a procedure should look: short and to the point and simple.

2. How To Get Clearance

Security clearance is a bit of a mixed bag! Each company has its own way of handling it, as well as how severe they take it. Asking for clearance at a startup is not the same as accessing confidential reports in a law enforcement agency.

For that reason, talking to your boss may be enough to get cleared – while, in other scenarios, you’ll have to go through a lengthy process where even your family is interviewed. That last part is only for high-stakes government jobs, so don’t worry about that.

3. How to Log Into the Network While Working Remotely

Our third policy example talks about software use. Let’s forget about malware detection for a moment while we talk about remote work.

Connecting to the company’s network while working at home is not as easy as it sounds. You need to establish a safe connection and, at the same time, make sure the device you use is not tainted with malware or similar. Most people don’t know how to do that – and that’s why the company should provide instructions (also known as procedures) to achieve that goal.

Each company has its own way of handling remote work. For the most part, they use work devices that have plenty of sites and software off-limits and require a VPN to connect to the company’s network.

Do We Need Something Other Than Procedures in Cybersecurity?

Procedures are the cornerstone of security policy-making but are far from the only element needed. Yale’s Information Security proposes a four-part pyramid, which includes policies, standards, procedures, and guidelines.

Policies and procedures you already know. Standards and guidelines offer further guidance into what to do and how to do it. Policies are why you’re doing something; standards are what you’re doing. Procedures are how you’re doing something, while guidance provides further assistance into how to do it right.

You have to think of it as a pyramid: policies are the foundation, followed by standards, then comes procedures, and guidelines are at the top. Each part of the pyramid is important, but it’s always a good idea to have a solid foundation before moving up.

In certain cases, companies put policies at the top of the pyramid rather than at the bottom.


Policies and procedures play a huge part in cybersecurity. Your company needs to figure out the role of compliance within your organization to shape its policies properly. Policy implementation comes at the hand of creating straightforward procedures for employees to follow. We at U.S. Cybersecurity are standing by to assist you with any questions you have with understanding policy vs procedure.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.