Policies and Procedures

Policies and procedures are the internal documents that translate legal requirements and standards into concrete practice in your organisation. Policies set the direction, and procedures describe how you follow it in day-to-day work.

Back to Dictionary

Policy vs. procedure

A policy is a high-level document that describes what the organisation aims to achieve and which rules apply within a given area. An information security policy states, for example, that the organisation is committed to protecting information assets and describes the overarching principles.

A procedure is a detailed workflow that describes how you carry out a specific task. The incident response procedure describes step by step what you do when you discover a security breach: whom you contact, how you document the incident and who decides whether it should be reported.

Policies are typically approved by management and change infrequently. Procedures are updated more often because they reflect current practice. Both are necessary: policies without procedures are empty declarations, and procedures without policies lack anchoring.

Together they form the foundation of your compliance framework and document to supervisory authorities that you work systematically with compliance.

Typical compliance policies

Most organisations need policies in the following areas:

Information security policy: The overarching document for protecting information assets. Required by ISO 27001 and assumed by most regulations.
Data protection policy: Describes how the organisation processes personal data in accordance with GDPR.
Acceptable use: Rules for employees' use of IT systems, email, internet and mobile devices.
Access management policy: Rules for granting, reviewing and revoking access rights.
Business continuity policy: Framework for business continuity planning and disaster recovery.
Supplier policy: Requirements for supplier security and third-party risk management.
Whistleblowing policy: Procedure for how employees can report concerns about legal violations.

The number of policies varies with the organisation's size and complexity. What matters is not the quantity but that policies are relevant, up to date and known to employees.

Regulatory requirements for policies

GDPR requires you to demonstrate compliance (the accountability principle). Policies and procedures are the most important tool for documenting that you have implemented appropriate measures.

ISO 27001 requires a number of documented policies, including an information security policy approved by management, and policies for specific controls in Annex A.

NIS2 requires policies for risk analysis, incident handling, business continuity, supply chain security and cyber hygiene. Management must approve cybersecurity policies and oversee their implementation.

DORA requires policies for ICT risk management, ICT incident reporting and testing of digital operational resilience.

All these regulations expect policies to be documented, approved, communicated to relevant employees and regularly reviewed.

Drafting and maintenance

Good policies are short, clear and relevant. A policy that nobody reads has no value. Write in language that employees understand and avoid unnecessary legal jargon.

Ensure that each policy has an owner who is responsible for keeping it up to date. Use version control so that you always know which version is current.

Review all policies at least once a year and update them when legislation changes, the organisation changes or internal audit reveals weaknesses.

Communicate policies to all relevant employees and ensure they understand the content. Security awareness and training are essential for translating policies into behaviour.

Document everything centrally. When your DPO or compliance officer needs to respond to a supervisory authority, they must be able to quickly find the relevant policy with its approval date and latest review.

Frequently Asked Questions about Policies and Procedures

What is the difference between a policy and a procedure?

A policy is a high-level document that describes the organisation's direction and rules within an area. A procedure is a detailed workflow that describes how the policy is carried out in practice, step by step.

Which policies does GDPR require?

GDPR does not require specific named policies, but the regulation presupposes policies for data protection, data processing, breach response, data subject rights and retention. Most organisations also have a cookie policy and a privacy policy.

How often should policies be updated?

At least once a year and whenever legislation changes, the organisation changes or internal audits identify weaknesses. ISO 27001 requires regular review of the information security policy.

Who should approve policies?

Overarching policies should be approved by senior management to ensure authority and anchoring. More specific procedures can be approved by department heads, but they must be consistent with the overarching policies.