An organization must document their security policies in order to have legal recourse against cyber attacks and to show due diligence in protecting their systems, data, and clients.

For best business practices, every organization should document everything. For training purposes, operations, and incident response…. Just to name a few key areas where documentation isn’t just helpful, but essential.

An organization has to start by documenting where they want their cybersecurity posture to be. And that means writing policies, procedures, and plans.

There is a difference between an organization’s policies and the procedures to carry out those policies. For example, a policy could include requiring multi-factor authentication to access the remote system. Procedures explain how to set that up and enforce the policy.


Policies are the all-encompassing guidelines for an organization. They set a course and direct decisions and strategy. Basically, it’s the “why” an organization does certain things or takes certain actions.
Policies are set and should be reviewed from a high-level standpoint…. “Do we as an organization still require this?”


Procedures are the “how.” They specify actions in a step-by-step order. They should be readable, accessible, and fairly simple to follow.
Procedures should be reviewed and even tested regularly.

It is impossible to provide guidance to your staff in protecting CUI without sound documentation – telling them what they need to do and how to accomplish it.

And if you have a compliance requirement (800-171, CMMC, GLBA, to name a few), then policies and procedures documentation must be present to comply with your industry regulation.

In fact, proving your compliance in an assessment would be nearly impossible without that documentation.

We’ve seen our clients struggle trying to do this on their own (and failing) or even having their Managed Service Provider or the lone person in the IT department try to handle.

Duffy Compliance Services has years of expertise developing both policies and procedures (and understanding the difference) for its clients. Let us help you navigate this journey without struggle and frustration – and resulting in getting the job done.

Interested in learning more?

We help you navigate through regulatory compliance by removing the stress of the unknowns. We make sense of complex cybersecurity and compliance jargon and create best practices for you.