But during both the creation and subsequent audit steps, organizations must beware of "shelfware" -- documentation that sits on the shelf, so to speak, and is never used except to prepare for audits. Of course, this applies to electronic documentation as well.
The point is that policies and procedures must be useful and accessible to the people who need them or else they will not be followed. This is one of the reasons that externally developed policies and procedures cannot be transplanted wholesale. They must be "tuned" for internal use.
Are standards beneficial? Definitely. By using COBIT, ISO 17799 and/or ITIL, organizations have access to a wealth of knowledge developed by thousands of people over many years. Using one or more of these standards as a framework, people developing policies and procedures can better understand what needs to be looked at and can share best practices with peers all over the globe through the Internet, books, classes, seminars, etc.
Focusing on IT
Now, let's discuss what it means to document policies and procedures in IT. For the purpose of this article, we'll assume that a risk analysis has already been performed and decisions made about the appropriate framework(s) to follow and what needs to be done in order to address identified risks.
The best people to do this are those who actually perform the work every day. Depending on your organization, you may create a project team with the appropriate stakeholders. Be sure to carefully select the team, bearing in mind communication skills, stature with peers, etc.
1. Espoused Theories -- What one must be cautious of involves how people view their own jobs and/or the best way of accomplishing tasks. Individuals can inadvertently document what is known as an "espoused theory."
Organizational psychologist Chris Argyris observed that people have a difficult time explaining what it is that they do because they tend to document their ideal method, or the method they would use without consideration of other issues in the workplace that could constrain the use of that method. He called this an "espoused theory."
So people can document policies and procedures from an idealistic perspective that must be reviewed for applicability in the real world.
2. Lack of Totality -- Scientist and philosopher Michael Polanyi documented that people regularly do not document how they perform tasks because they literally know more than they can say. Thus, someone may attempt to document how to do something with all of the best intentions in the world, but be unable to satisfactorily do so because he/she isn't fully aware of all that he/she does. Hence it pays to review the work and ensure that it is complete.
3. Simple Mistakes -- In our technical world, it is very simple to make a mistake through errors of interpretation. For example, I may think I know how to back up a system and try to document the process. However, the reality is that I do not know everything and another person may have additional valuable input.
4. Diversity -- By involving the team, people know what is going on and can give other perspectives. Due to diverse backgrounds and perspectives, often times better ideas arise during a peer review session because people build on one another's concepts.
Furthermore, there must be a formal change process for people to proactively review and revise the various policies and procedures. Ideally, the system would be continuously evolving as the environment changes.
The above five steps outline some of the potential phases involved. In practice, treat the implementation of policies and procedures as a project. It needs a plan with tasks, assignments, due dates, milestones, budget, communication plan and so on, just like any other project.
The standard frameworks help identify some of the detail of what needs to be done, but solid project management practices are still required to bring things to efficient fruition. Furthermore, once the policies and procedures are implemented, the work does not stop. There must be a continuous improvement process put into place that will spur additional projects in the future as the organization and environment evolve.