Authority Document vs Policy

Go to solution
DMH
Kilo Contributor

‎05-11-2020 08:42 AM

We are debating whether to setup our internal Quality Manual (which contains our basic IT general controls) as a Authority Document or a Policy.  Is there a reason why we couldn't\shouldn't setup as an Authority Document?  Appreciate any suggestions.

0 Helpfuls
  • 3,562 Views
1 ACCEPTED SOLUTION

Go to solution
Uncle Rob
Kilo Patron

‎05-12-2020 07:32 PM

Not a compliance expert, but it seems to me that Authority Documents are externally sourced and agreed upon as authoritative by multiple external parties:  ie. SOX, PCI, GDPR, etc.

Policies are things your company decides to do.  So if you have an internal quality manual there's a good argument that putting them in authority docs is just more work, when you can just as easily put them in policies instead.

View solution in original post

6 REPLIES 6

Go to solution
Uncle Rob
Kilo Patron

‎05-12-2020 07:32 PM

Not a compliance expert, but it seems to me that Authority Documents are externally sourced and agreed upon as authoritative by multiple external parties:  ie. SOX, PCI, GDPR, etc.

Policies are things your company decides to do.  So if you have an internal quality manual there's a good argument that putting them in authority docs is just more work, when you can just as easily put them in policies instead.

Go to solution
Adam Horwitz
ServiceNow Employee
ServiceNow Employee

‎05-12-2020 09:07 PM

Robert is 100% correct. Nothing you create goes in Authority Documents. Your document is a policy and belongs in Policies.

Go to solution
Community Alums
Not applicable

‎05-13-2020 12:23 AM

Authority Document are external policies and Policy will be your internal ones. Robert and Adam are 100% correct! Authority Document is everything that has been published such as ISO, COBIT, SOX, etc. You should look to Policy, that's where internal policies should be hosted.

Go to solution
Scott Ferguson
ServiceNow Employee
ServiceNow Employee

‎05-13-2020 06:12 AM

If you internal quality manual is based on a framework or best practice, I suggest you import the official external document into the Authority document construct.  Your internal company interpretations of the best practice is in the policy hierarchy.   You basic IT controls are the control objectives, that link back to both the internal policy and the external regulation (as reference).