Policies, Standard, guidelines, Procedures (Policies identifies “what to…
Policies, Standard, guidelines, Procedures
identifies “what to protect”
to identify a topic of concern containing particular risks
for the purpose of preventing or avoiding it
a chief executive mandate
a particular high-level
covering activities within the organization by staff, vendors, and clients.
Requirements for policy implementation
is mandatory when a policy is officially mandated.
A policy will state the objective, who will be responsible for decisions, administration,and penalties for noncompliance.
authority of the person
mandating a policy will determine the
scope of implementation.
A missing policy indicates an executive control failure.
Measurement Control Point
list of specific measurement points to obtain
Used to compare a subject with standard (Subject vs. Standard)
To ensure uniform level of compliance exists.
Standards do not contain the workflow for compliance.
Standards :red_cross: Procedures
Management’s job is to
use individual points from each standard
to create appropriate
procedures in a complete workflow in order to obtain compliance within the Organization
missing standard indicates negligence
by failing to define the requirements.
A guideline provides vague direction of
“do this, not that”
very limited advice
pertaining to how organizational objectives might be obtained
because the directions provided are usually incomplete.
has to adapt or discard portions
of the information to fit the intended use.
Relying on guidelines without creating real step-by-step
is a control failure
"How-to" Instructions for Success
of specific tasks necessary to achieve minimum compliance to a
Step by Step format containing Common troubleshooting Steps.
The purpose of a procedure is to maintain the highest possible control over the Outcome
Compliance with established procedures
is mandatory to ensure consistency and accuracy
With a policy and standards, the lack of written procedures represents dereliction of Duty
Control Objective :fencer:
statement of the desired result or purpose
to be achieved by implementing control procedures in a
control objectives may relate to the following concepts