What it is
A Plan explains how the organization organizes itself around an important topic.
Plans do not create new rules. Instead, they bring together existing policies and explain how those policies work together, who is responsible, and how the organization prepares for or responds to certain situations.
A plan is a coordination document. It helps people understand the big picture without repeating detailed rules or step-by-step instructions.
Why it exists
Some topics are too large or complex to understand through a single policy. Plans provide structure and coordination across multiple policies, teams, and activities so everyone understands how the organization approaches a given area.
What a plan usually includes
- Purpose and scope
- Roles and responsibilities
- Assumptions and boundaries
- References to related policies
- References to related processes and procedures
- High-level guidance (but not detailed instructions)
Plans are typically approved by leadership and updated over time.
Examples
- System Security Plan (SSP)
- Incident Response Plan
- Disaster Recovery Plan
- Business Continuity Plan
- IT Strategic Plan
- Audit Plan
How to use it
- Read a plan to understand how the organization approaches a topic overall
- Use a plan to find the relevant policies, processes, and procedures
- Use a plan during coordination-heavy activities such as incidents, audits, or planning efforts
Common confusion
Plan vs Policy
A policy defines rules and required outcomes.
A plan organizes policies around a goal.
Plan vs Process
A process describes how work flows from start to finish.
A plan describes coordination and structure.
Plan vs Procedure
A procedure gives step-by-step instructions.
A plan points to procedures.
