Policies and Procedures

Policies give guidance in an organisation. They give direction in WHAT needs to happen, not necassarily HOW it should happen, that's what procedures are for.

An example:

In the password policy it's stated that "Each user shall use a password manager to manage unique passwords for each application they use.“

In the password procedure this policy goes into the specifics on how the user needs to implement this, and what specific policy manager they need to use. How they go about installing and configuring it.

By making use of policies and procedures, these elements are formalised which makes verifying if they are applied, and if they are aplied in a correct manner. Whithout policies and procedures it's a free for all to do as they like.