Information security standards


The term "standard" is sometimes used within the context of information security policies to distinguish between written policies, standards and procedures. Organizations should maintain all three levels of documentation to help secure their environment. Information security policies are high-level statements or rules about protecting people or systems. A "standard" is a low-level prescription for the various ways the company will enforce the given policy. A "procedure" can describe a step-by-step method to implementing various standards.
This use of the term "standard" differs from use of the term as it relates to information security and privacy frameworks, such as ISO/IEC 27002 or COBIT.