top of page
Search

Policy vs Process: Understanding the Difference for Cyber Essentials

  • Writer: netcomtech
    netcomtech
  • Nov 10
  • 2 min read

When preparing for Cyber Essentials assessments, one of the most common pitfalls we see is confusion between policies and processes. Organisations often submit “policy answers” that describe what should happen, rather than clear “process answers” that explain how it happens. Understanding this distinction is key to achieving certification and demonstrating real cyber resilience.


What Is a Policy?

A policy is a formal statement of intent or a set of rules. It defines what your organisation expects or requires. Policies are strategic and high-level; they provide guidance and set boundaries but do not detail the steps to implement them.


Examples of policies in Cyber Essentials:

  • “All devices must have antivirus software installed and up to date.”

  • “Employees must use strong passwords and change them regularly.”

  • “All sensitive data must be backed up daily.”

  • Best practice is not to change passwords too often, only when necessary

Policies answer the question: “What do we require?”


What Is a Process?

A process is a detailed, step-by-step procedure that explains how a policy is implemented in practice. Processes are operational and actionable. They ensure that policies aren’t just theoretical statements but are actively followed across the organisation.


Examples of processes in Cyber Essentials:

Policy: All devices must have antivirus software installed and up to date.Process:

  1. IT administrator logs into the endpoint management system each Monday.

  2. Verify that antivirus definitions are current on all devices.

  3. Push updates to any device that is out of date.

  4. Document update status and any exceptions in the central log.

Policy: Employees must change passwords regularly.Process:

  1. The IT system automatically prompts users to change passwords every 90 days.

  2. Users follow on-screen instructions to create a new password meeting complexity rules.

  3. IT monitors compliance and follows up with reminders for any overdue password changes.

Processes answer the question: “How do we achieve this?”


Why Processes Matter in Cyber Essentials

Cyber Essentials assessors are looking for evidence that controls are actively implemented and maintained, not just that they exist on paper. Submitting only policies without processes can result in non-compliance, because there is no clear proof of action.

Processes demonstrate:

  • Consistency: The same steps are followed every time.

  • Accountability: Roles and responsibilities are clear.

  • Traceability: Actions can be documented and audited.

  • Effectiveness: Policies are being enforced in practice, not just stated.


Practical Tips for Turning Policies into Processes

  1. Identify the policy you want to implement.

  2. Break it down into actionable steps that anyone can follow.

  3. Assign responsibilities for each step.

  4. Document the process clearly, using checklists or workflow diagrams if needed.

  5. Review and update the process regularly to reflect changes in systems or regulations.

By turning policies into well-defined processes, your organisation not only satisfies Cyber Essentials requirements but also strengthens overall cybersecurity resilience.


Key Takeaway

Think of a policy as the “what” and a process as the “how”. Policies without processes are intentions; processes without policies are inconsistent. Both are required to build a secure, compliant, and auditable environment under the Cyber Essentials framework.


ree

 
 
 

Comments

bottom of page