by John Bandler
External guidance is materials or advice that organizations may consult when creating and updating policies or otherwise seeking to improve their practices and action.
Guidance is voluntary, not mandatory (in contrast with legal requirements such as laws and regulations which are required obligations).
These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more. There is no shortage of external guidance on this topic.
External guidance within the five components for policy work
As I have evolved these concepts, we can think of five main components to consider when doing policy creation or improvement.
Four are platforms and the fifth component is the more ambiguous "cloud" of external guidance.
We can view all five components together in this diagram, where we view everything from a top view perspective.
The five components are:
- External guidance: Helpful and relevant voluntary guides to our policies and actions.
- External rules: Laws, regulations, and other legal requirements
- Internal rules: Policies, procedures, and more
- Practice: or action -- what is actually done.
- Mission and business needs, the reason the organization exists in the first place.
The Four Platforms concept
We can view those four platforms with a nice front view and a little perspective, and the idea is that organizations conceptually align and build as needed these four platforms.
External guidance is everywhere, the challenge is finding what is good and applicable to the organization, adapting it as needed, and then incorporating it into internal rules (policies and procedures).
Whereas external rules must be properly identified and complied with, external guidance is purely optional. Organizations research and identify helpful guidance, then can adopt that guidance in whole or in part, adapting as needed.
External guidance includes:
- Pretty much anything
- Websites (including this one)
- Information security frameworks (of which there are many)
- External consultants, legal advice, or subject matter experts
- Guidance put out by government entities which regulate or enforce an area
- Guidance from business partners
Topics for external guidance include:
- Governance and policy creation ideas
- Cybersecurity and information security
- Cybercrime prevention
Examples of specific external guidance includes:
- Coming soon
Businesses should understand external guidance in order to speed their adoption of certain best practices, to draft appropriate internal rules, and accomplish their mission.
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation, incorporation of best practices, and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.
- External Guidance (this page)
- External Rules
- Internal Rules
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all listed in this article)
- Policies and Procedures (and other governance documents)
- Policies, Procedures, and Governance of an Organization
- Policy Checklist
- Internal Rules Planning
- Internal Rules Building
- Cybersecurity, Privacy, You, and Your Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
This article is hosted at https://johnbandler.com/external-guidance, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at NOT YET (though not kept as up to date).
Originally posted 9/19/2022, updated 9/19/2022.