ENTER: Five Steps for Governance Documents
by John Bandler
Organizations should be managed effectively and efficiently, for a multitude of good reasons.
As they do this, they will need governance documents --documents that help the organization manage itself. These are "internal rules" of the organization and include policies, procedures, standards, and more.
These sound principles extend beyond to all areas of organization management.
Governance is the process of how organizations manage themselves. No organization is the same, with variations in mission, size, decision making and implementation, history, people, culture, and more. Needless to say, there is wide variety on how organizations document their rules, and how they follow them. Every organization can improve, and good policies and procedures are helpful to guide organization and individual conduct.
ENTER is a helpful initialism for managing our policies and other documents
Organization documents should be efficient, comply with external laws, properly direct organization action and aid with mission achievement.
In 2020 I came up with the ENTER concept:
- Evaluate circumstances and documents
- Newly create or update documents
- Ensure practice follows policy
- Review and update periodically
Let's examine each.
The organization should evaluate a host of criteria including circumstances and existing documents. Consider:
- External rules (laws and regulations) and how they apply to the organization
- Compliance with these laws
- Protection of the organization from risks (including cybercrime and legal risks)
- Prioritizing risk management
- Mission and business needs
- External guidance
- Prioritizing document update and creation
The organization can consider my Five Components for Policy Work during this evaluation.
Newly create or update
Next the organization should plan to newly create or update governance documents such that they:
- Comply with external rules
- Help the organization accomplish the mission and business needs
- Are clear, consistent, understandable, and helpful
- Are efficient and effective (not shelf-ware).
Next, the organization should train all members of the organization (from the newest hire to the CEO) on the governance documents.
There are options for this training, a variety of forms and degrees of formality.
The organization should consider obtaining acknowledgements from employees that they have read and will abide by the new or updated policy.
Ensure practice follows policy
Then, the organization should ensure practice (action) follows the policy. In other words make sure that the organization and individuals within it are complying with the rules. If it is not complying, then corrective action should be taken as appropriate to achieve compliance. (If review indicates that the rule is not practical and cannot or should not be complied with, then the rule should be changed).
Review and update
Finally, organizations should review and update policies and practices periodically, and evaluate the need for an update, changes, and new policies. Occasionally documents should be retired.
Governance documents are important
Governance documents are important, with legal significance. They should never be slapped into place quickly, and thoughtless "copy and paste" can cause lasting damage to an organization.
Organizations should banish these thoughts or statements:
- “We need to get a policy in place quickly so we have it and can show [insert name]. But we don’t really need to follow it.”
- "We have good policies on paper, but we don't really follow them."
My Three Platforms to Connect for compliance concept guides how governance documents fit in with laws, regulations, and the practice of the organization. The three areas to consider are:
- Laws and regulations (external rules)
- Policies, procedures, and other internal rules
- Practice, action, what is actually done by the organization and its people.
These three platforms should align, organizations should reduce and "watch the gap".
Then, the Fourth Platform to Connect adds mission and business needs, since organizations do not exist just to comply. They need to earn revenue, do good and help individuals and society by providing a necessary service or product.
And finally, I have already introduced my Five Components for Policy Work, which adds external guidance.
Good management of an organization requires appropriate documentation that aligns external rules with organization practice and promotes efficiency and compliance. ENTER is a handy acronym to help you think about your policy work.
This article is for your information and learning, and of course is not tailored to your circumstances, nor is it legal or consulting advice. It also contains my opinion and perspective.
If your organization needs help with improving cybersecurity and protecting from cybercrime, creating or improving policies, and complying with cybersecurity related laws and regulations, contact me.
- Five Components for Policy Work
- My online course on security documents at Infosec Institute (coming soon). Link to my author page at Infosec.
- Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all listed in this article)
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Internal Rules
- Policies and Procedures
- Cybersecurity, Privacy, You, and Your Organization
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Bandler's Free Starter Cybersecurity Policy
- Bandler's Four Pillars of Cybersecurity
- The Three Priority Cybercrime Threats
- Cybercrime Frauds Involving Email and Funds Transfers (Email based funds transfer frauds, like business email compromise (BEC) and CEO fraud)
- Data Breaches
This article is hosted at https://johnbandler.com/enter-five-steps-for-governance-documents, copyright John Bandler, all rights reserved.
This article carves out my "ENTER" concept from my 2020 article: Policies, Procedures, and Governance of an Organization.
This article is also available on Medium.com at (not yet) (though not kept as up to date).
Originally posted 10/31/2023, updated 11/19/2022.