What is the main distinction between a policy and a standard?

The main distinction between a policy and a standard lies in their respective purposes and roles within an organization. A policy establishes the overarching direction and principles that guide decision-making and behavior within the organization. It is typically high-level and provides a framework for how security and governance issues should be addressed.

On the other hand, a standard provides specific, detailed requirements that must be followed to ensure compliance with the policy. Standards translate the intent of a policy into actionable steps and measurable criteria, ensuring uniformity and consistency in processes and technologies. Therefore, policies support the organizational goals, while standards ensure that the required security practices and operations are carried out effectively and uniformly.

This distinction emphasizes the hierarchical relationship between the two: policies set out the "what" and "why," while standards detail the "how," ensuring that policies are effectively implemented and adhered to by the organization.