As security policies and procedures are essential to the entire security program development process, it is important to clearly understand the difference between them.
Policies are high-level statements relating to the protection of systems and information across the organization. Policies should be set by the senior management.
Standards are specific low-level mandatory controls and activities that help enforce and support the corresponding security policy.
Guidelines are recommended, non-mandatory controls and activities that help support standards or can serve as a reference when there are no applicable standards in place.
Procedures consist of step-by-step instructions to assist the people implementing the various policies, standards, and guidelines.