Policy vs Process: Understanding the Difference for Cyber Essentials
- The Assessor Team
- Nov 10, 2025
- 3 min read
Updated: Jan 5
When preparing for Cyber Essentials assessments, one of the most common pitfalls is confusion between policies and processes. Organisations often submit “policy answers” that describe what should happen, rather than clear “process answers” that explain how it happens. Understanding this distinction is key to achieving certification and demonstrating real cyber resilience.
What Is a Policy?
A policy is a formal statement of intent or a set of rules. It defines what your organisation expects or requires. Policies are strategic and high-level; they provide guidance and set boundaries but do not detail the steps to implement them.
Examples of policies in Cyber Essentials:
“All devices must have antivirus software installed and up to date.”
“Employees must use strong passwords and change them regularly.”
“All sensitive data must be backed up daily.”
Best practice is not to change passwords too often, only when necessary.
Policies answer the question: “What do we require?”
What Is a Process?
A process is a detailed, step-by-step procedure that explains how a policy is implemented in practice. Processes are operational and actionable. They ensure that policies aren’t just theoretical statements but are actively followed across the organisation.
Examples of processes in Cyber Essentials:
Policy: All devices must have antivirus software installed and up to date.
Process:
IT administrator logs into the endpoint management system each Monday.
Verify that antivirus definitions are current on all devices.
Push updates to any device that is out of date.
Document update status and any exceptions in the central log.
Policy: Employees must change passwords regularly.
Process:
The IT system automatically prompts users to change passwords every 90 days.
Users follow on-screen instructions to create a new password meeting complexity rules.
IT monitors compliance and follows up with reminders for any overdue password changes.
Processes answer the question: “How do we achieve this?”
Why Processes Matter in Cyber Essentials
Cyber Essentials assessors are looking for evidence that controls are actively implemented and maintained, not just that they exist on paper. Submitting only policies without processes can result in non-compliance because there is no clear proof of action.
Processes demonstrate:
Consistency: The same steps are followed every time.
Accountability: Roles and responsibilities are clear.
Traceability: Actions can be documented and audited.
Effectiveness: Policies are being enforced in practice, not just stated.
Practical Tips for Turning Policies into Processes
Identify the policy you want to implement.
Break it down into actionable steps that anyone can follow.
Assign responsibilities for each step.
Document the process clearly, using checklists or workflow diagrams if needed.
Review and update the process regularly to reflect changes in systems or regulations.
By turning policies into well-defined processes, your organisation not only satisfies Cyber Essentials requirements but also strengthens overall cybersecurity resilience.
The Importance of Cyber Essentials Certification
Achieving Cyber Essentials certification is crucial for your organisation. It not only helps you meet compliance standards but also builds trust with clients and stakeholders. In today’s digital landscape, demonstrating that you have robust cybersecurity measures in place can set you apart from competitors.
Cyber Essentials certification can open doors to new opportunities. Many government contracts require this certification as part of their procurement process. By being certified, you position your organisation as a reliable partner in the supply chain.
Key Takeaway
Think of a policy as the “what” and a process as the “how”. Policies without processes are intentions; processes without policies are inconsistent. Both are required to build a secure, compliant, and auditable environment under the Cyber Essentials framework.
Comments