Difference between Policies, Standards, Guidelines, Practices and Procedures

Policy is basically a written document that lays out the exact requirements or rules that must be met by the employees. It generally describes the acceptable and unacceptable behaviours of employees in the workplace. In information/network security, policies are usually covers a single area, for example "Acceptable Use of Computing Facilities in the University".

Standard is a thorough statement of what members of an organization need to do to adhere to a policy. This can be in the form of system-specific or procedural-specific requirements. These requirements are to be followed by everyone. As an example, staff may want to use their own mobile devices in the workplace. Therefore, the standard for connecting the mobile devices to the organization's network must be followed exactly. 



Guideline is literally a group of system specific or procedural specific recommendations for best practice. Guidelines are not must-follow requirements. Referring to standards and guidelines are however looked at as an effective property of good security policies.

Practices are methods or processes used by an organization to accomplish its objectives.

Procedures are methods or processes, usually detailed, put in place by an organization in order to accomplish its objectives.