Policies, Standards, and Business Processes form the three-layer governance architecture that translates an organization's risk appetite and strategic objectives into enforceable, day-to-day operational controls. A **Policy** is a governance-level statement of intent that defines organizational expectations and assigns accountability (e.g., 'All data access must be role-based and least-privilege'). A **Standard** specifies the minimum measurable requirements for policy compliance (e.g., 'Access accounts must be reviewed and recertified every 90 days'). A **Business Process** is the documented, step-by-step workflow that operationalizes both — it defines who does what, when, and how, so that policy intent is embedded in daily work (e.g., the access provisioning and deprovisioning procedure). Together, these three layers form the connective tissue of enterprise risk governance: strategy flows down through policies into standards, and standards are enacted through business processes. Within ISACA's CRISC framework, the Policy-Standard-Process (PSP) cascade is the primary mechanism through which risk governance becomes organizationally real and auditable.
Where it stops · what it isn't
- —IS: Strategic-level governance policies (risk appetite statements, ethical standards, information security policy) carrying board or executive authority
- —IS: Operational policies (access control, change management, incident response) governing specific risk domains
- —IS: Supporting standards (technical, compliance, industry) that set measurable performance and compliance minima
- —IS: Documented business processes and procedures (BPMN-mapped workflows, SOPs) that implement policies in operational workflows
- —IS NOT: Risk assessment methodology — policies govern how assessments are conducted but are not the assessment itself (see Risk Assessment Concepts cubelet)
- —IS NOT: Risk appetite-setting — policies translate a pre-existing risk appetite; they do not create it (see Organizational Strategy cubelet)
- —IS NOT: IT system configuration or technical controls — standards may specify configuration baselines, but technical implementation is downstream
- —IS NOT: Audit and testing procedures — policy validation through audit is a Third Line activity; this cubelet covers policy creation, maintenance, and operational embedding
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFCRISC Domain 1: Governance
REQUIRESEnterprise Risk Management (ERM) FrameworkOrganizational Risk Appetite Statement
ENABLESRisk Assessment and IdentificationRisk Response and TreatmentRegulatory Compliance (NIS2, GDPR, NIST CSF 2.0, HIPAA, PCI-DSS)Internal Audit and Policy Effectiveness Validation
RELATED TOOrganizational Structure and Roles (Three Lines Model)Organizational Strategy and Risk Appetite
CONSTRAINSBusiness Process Design and Change Management