Security policy, standard and procedure definition
Policies specify the information security intentions of organization’s senior leadership, practitioners; define roles and responsibilities, and establish high-level requirements for protecting the Organization’s information resources.
Standards define the mandatory settings, controls, and requirements that must be implemented to achieve policy objectives. Compliance with standards is measurable, allowing risks to be identified, quantified, and managed at various levels within the organization.
Procedures help to ensure that security policies and standards are applied in a consistent and repeatable manner. A procedure is a systematic set of interrelated steps, tasks, or activities to be accomplished in order to implement a policy or standard.