Classification of IT documents

sunhux used Ask the Experts™
I read in one site that IT documents can be classified as
1. Policies    (I think this one requires very senior mgmt approval & non-adherences have to recorded into deviation list for regular review )
2. Standards (this one needs deviation list too if non-compliant)
3. Procedure (sort of instructional doc)
4. Guidelines (don't need to be adhered to strictly, just for guidance & allows for non-adherences without maintaining deviations)
5. Framework
(guess there are more, say "Checklists" but I'm excluding manuals & handbooks)

There's some debates as to whether to classify the following into one of the above categories:

1. Cloud Computing Implmentation :
    A list of how to assess a CSP & requirements for onboarding a system to a cloud
    I think it's "Guidelines" as googling around for “Cloud Onboarding”, shows mostly it’s a guide.
    Depending on the criticality of the system that is onboarded to Cloud, the requirements may differ

2.      Risk Assessment for Cloud Solution Sample :
        Classify as  Checklist (or if there’s no such category, then a Procedure)

3.       End User Computing Handbook  v1.5 :
         I think it's a Guideline or Guide

What about Framework?  Does ISO27001 has any mention of how to classify them?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
bbaoIT Consultant
basically ISO 27001 belongs to the Standards, sepecifically a group of ISO standards.

commonly, Framework in context for this manner of clarifying documentation categories should be technical frameworks which your team should follow in project management, product development, and infrastructure engineering, such as COBIT.

theoretically, Frameworks may also refer to those in defined in your Standards, such as ISMS framework in ISO 27001.

does it help?


Perhaps  I'll paste a sample document's content & need your advice if it's
more appropriate to be classified as policy, framework, guideline or ... :

refer to attached for a sample content : does such content belong more
to a policy, guideline or framework?  I plan to forward it to vendors who
are tendering to place our systems in a cloud
IT Consultant
thanks for sharing the sample content. It is actually a cheklist for given security risks and the possible actions to reduce the risks respectively. It is not policy nor framework nor guideline.

you may consider it is a guideline if you have to choose one from the three, but it is too simple (hence checklist) as a guideline commonly gives more info such as problem, explanation, solution ans steps (what, why and how to do).

does it make sense?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial