Policies vs Standards - Are supposed to check the compliance of standards?

ShafrazMubarak · ‎10-02-2024

I have a doubt to be cleared from the GRC community.

Usually, we draft the policies and every policy statement in the policy are created as control objectives under the policy. Similarly, Standards, Procedures, Operational Manuals also can be created in the same 'Policy' screen.

1. Do we need to create every statement in the standard,procedures or operational manuals as control objectives?

2. Are we supposed to check the compliance of standards, procedures and operational manuals? Isn't compliance score is only for Policies?

Mehernosh Amrol · ‎10-07-2024

I would answer your question, by asking you, how granular do you want to get?

Yes, you have your Policy and relate your Control Objectives. You have other Policies which can role up to the Policy, such as your Procedure, checklist, etc. and tie the appropriate Control Objectives to that.

For Example, you have your Business Continuity Policy, which relate ALL your Business Continuity related Control Objectives. Then you have a Procedure for the different things, Servers, VMs, Facilities, etc. and relate the Control Objectives for those specific procedures. Then you have your Overall Compliance Score for Business Continuity Policy, and your scores for the different procedures.