What is Policy?
Policy is a management means to signify a course of action, a guiding principle, or a process that is effective, practical and beneficial to an organization overall.
Policies themselves are usually high-level statements to provide guidance to organizations and their staff who must make decisions. They are the general requirements that must be documented and communicated to people inside, and in some cases, outside the organization. Although policies may vary somewhat, they typically include general statements of objectives, responsibilities and rules.
Policies are mandatory and can also be thought of as organization-specific law. In strict terms, special approval or exemption would be expected before a course of action is taken that would not normally comply with policy. Because compliance is intended, definitive words like "must" or "required to" are used. For simplicity and consistency, those words should be used wherever possible.
What is a Guideline? What is a Standard?
A guideline is distinct from but similar to a policy. Guidelines are usually optional or a suggested best practice. A standard provides a specific technical requirement. Standards usually cover details such as implementation steps, design concepts and other specific controls.
Generally speaking, policies are intended to last, while guidelines and standards change because business processes, organizational structures and technologies change so rapidly.
What are Procedures? What are Controls?
Procedures are specific operational steps or methods that are used to accomplish something. Controls are mechanisms to guide operations or regulate directed practices. In many cases, policies provide broad objectives, which are met with controls. For instance, a policy prohibiting actual or apparent conflicts of interest could be partially met by a control that requires employees to sign a statement indicating they have read the code of conduct and agree to comply. The requirement to sign a statement of compliance with a code of conduct might itself be a policy.
Good management requires decisions to be made about controls to meet the requirements of policy. Policy may be deliberately vague about procedures and control measures so that managers retain the latitude to change procedures and controls as evolving technology and business conditions dictate. As responsibilities, decisions and accountabilities are increasingly pushed down, day-to-day decisions on best practices to employ "to get the job done", and how to control and deliver services can be made by more and more staff throughout the whole organization.