What is a Standard? What is a Policy?

Publish date:

Sometimes people get confused by terms and recently I’ve come across a bit of confusion as to the difference between a standard and a policy and critically which comes first.  So this is an attempt to give a clear and simple definition of the two terms and their differences as it relates to governance and […]

Sometimes people get confused by terms and recently I’ve come across a bit of confusion as to the difference between a standard and a policy and critically which comes first.  So this is an attempt to give a clear and simple definition of the two terms and their differences as it relates to governance and operations.



Standards are about perfection, they are what represent the goal for the organisation.  So a Standards body such as ISO puts down the rules on what organisation should adhere to around something like Country codes while folks like IEEE create the standards around things like 802.11 the global standard for WiFi in all of its versions.  Standards folks tend to be purists like Socrates defining really what must be done and ensuring that there isn’t much or indeed any wriggle room for people to claim they match a standard when in fact they do not. Standards therefore are the ‘gold’ measure against which efforts are measured.  Standards don’t have to be binary elements, the ISO country code standard has an extension related to provinces and of course WiFi comes in multiple standards (b/g/n/etc) as well options within those standards around frequency and other elements. When you are looking a standards therefore you are defining what people mustdo to be compliant and defines the bar against which that compliance will be measured.  Just because standards bodies are purist doesn’t mean that they are disjoint from reality, but it does mean that their role is defining a bar that actually means something not simply ‘what we can achieve today’.  When looking at Information Standards in particular its important that standards around quality, field definition and other elements are challenging and represent the ultimate bar of compliance – that the information in systems matches the information in the real world it represents.

Victor Meldrew


Policies are about practice its about what you choose to do to meet a standard, how you go about it and indeed whether you choose to meet a standard or not. Policy people are bound by the current realities and therefore like Victor Meldrew tend to be on the grumpy side.  Policy people have to make decisions on how to implement a standard and which s  tandards they are going to follow.  So a policy team might decide that yes they are going to move to ISO-3661-1 standard for countries but that for the next year they won’t standardise on provinces or states to ISO as the cost of updating current systems is too much and there isn’t much cross country requirement for it.  With 802.11 a company can make a policy decision to support b/g/n but not support the 5GHz standard and only run two antennas rather than the maximum three allowed.  This doesn’t mean that the company isn’t complying with the standard just that they aren’t implementing everything that is optional. Policy therefore is about making a businessdecision on whether and how to implement a standard.  Its about sometimes saying ‘no we can’t implement that standard yet, it will take us 2 years and here is our roadmap’.  Its perfectly ok to make such a decision as long as you are doing it for sound business reasons and crucially so long as you are tracking the non-adherence to the standard and the successful implementation of the roadmap towards it.

Why Victor shouldn’t meet Socrates

A common mistake that companies make when looking at Standards and Policies is to combine the groups of people that are looking at them.  This is an definite error as it ensures either deadlock or even worse a series of standards which represent the best that can be achieved today. The reason for this is purely one of human dynamics, standards people are aiming for the gold standard and policy people know its their job to implement them, this means that policy folks have a vested interest in making the standards bar as low as possible meaning they can achieve it with the minimum of effort.  This combination of the two groups leads to standards that are focused on fixing just the problem that the policy people see today and leads to a real challenge when seeing how an organisation is progressing.  Combining the two tends to end in a moving baseline where each year a new standard is set and people race towards it but the concept of progress is lost

So does this mean the organisation is getting better or worse?  Are we actually improving on this metric or always falling back at the start of the year?  As we change the standard does this mean we are tracking something different and losing focus?  Well of course the answer is ‘no one knows’ what you need is a standard that you can track progress towards over the years.

See the difference?  And that is why you keep Victor and Socrates apart.  Get the standards people to create the best viable standard that they can and then have Victor create the incremental roadmap that progresses towards it.  Doing it this way keeps the standards people from being too pure in implementation and the policy folks from being too conservative in what can be achieved.

So keep your standards bodies separate from your policy bodies and ensure that your standards represent what you want to achieve in future while the policy folks get on with what can be achieved today and in the near term.  Then track the progress towards the future, not simply to the next step.

Related Posts

Capgemini Invent

You want CSR transformation? Start with CSR governance

Elodie Asselin
Date icon April 9, 2021

The new governance needed to steer an organization’s CSR will have to adapt to the...

big data

Moving Big Data delivery from the West Coast to the East Coast—part 1

Simon Turnbull
Date icon January 17, 2018

Over the past few years we have started to see a paradigm shift in the capabilities that...


GRC 101—an Introduction to Governance, Risk Management, and Compliance

S, Lakshmi Narasimhan
Date icon October 24, 2017

GRC helps to avoid the ill effects of silos in the governance, assurance and management of...