A businesses need a policy framework to state its values, expectations and requirements in a meaningful way.
The policy framework depends on an organization’s structure to enforce ownership of these statements appropriately. Policy frameworks aid in understanding the enterprise by setting the ownership of policies, their associated and supporting documents and by creating a structure where these statements can be found.
This framework defines and clarifies what the business values and what can be expected of it.
There may be several types of documentation within the policy framework but typically you should see at least the following.
These items, in large part, comprise how a business articulates its values and operations at scale for all employees, contractors, agents, business partners, etc. These artifacts are available for evaluating the values of a business as well, through compliance and audit, demonstrating the degree of integrity the business has with its values and promises.
When a business makes a claim or asserts some portion of its values that assertion is a promise to operate in a prescribed manner so that stakeholders (include those mentioned above) can evaluate the business for alignment with the stakeholder’s values. The implementation of the enterprise’s values and processes set forth in these statements should be consistent. Businesses that are found internally inconsistent are often penalized by stakeholders due to diminished trust. In some cases the business will be fined by some evaluators such as regulators and courts.
Policy is a carefully crafted, written statement of what matters to a business entity. Policy should NOT include implementation details at any great level but should be the overarching value statement that requires MANDATORY compliance.
Exceptions to policy should have clear processes for review, approval and documentation. Exceptions to policy should not be taken lightly and should be routinely reviewed by the business for appropriateness, to be resolved towards policy compliance when possible. The exception process for policies should either be encapsulated within the policy or linked from within the policy for easy consumption.
Standards speak to acceptability of compliance with policy both within an industry and also within the specific business entity.
In technology standards are often presented in Requests for Comment (RFCs) and discussed for years before being ratified by domestic or international agencies such as IETF or ISO.
Within a company, a standard need not necessarily comply with external review and comment but should be aligned with a policy so that as technologies, methodologies, processes and industries change, policy can remain intact without needing to reflect changes but the standard can be responsive to changes.
Standards are not necessarily mandatory and that should be outlined within the policy that articulates their use (or requirement). If the policy calls for mandatory use of a specific standard or standards, then the use of the standard should be mandatory and exceptions should be reviewed, approved and documented according to a prescribed process.
Guidelines are helping documentation that do not require mandatory compliance in and of themselves. Mandatory compliance, where necessary, should be detailed in the policy/policies that lead to the guidelines.
Guidelines should point out for operators how to perform tasks in a manner that achieves the desired state as it is published in the policy and to the degree that is required within any corresponding standards. In other words, if someone is directed to a policy and reviews the standards they must employ in meeting the standard and yet they still don’t know how to do achieve compliance with the requirement, then the guideline should provide steps to aid the worker in doing what the business has determined defines its operations.
I did not cover position papers as I think there’s more latitude in how these can be used by an organization.