External Guidance

External Guidance 

by John Bandler

External guidance is materials or advice that organizations may consult when creating and updating policies or otherwise seeking to improve their practices and action.

Guidance is voluntary, not mandatory (in contrast with legal requirements such as laws and regulations which are required obligations). So organizations can seek guidance, and then are free to adopt, adapt, or disregard that guidance as they see fit.

These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more. There is no shortage of external guidance on this topic.

External guidance within the five components for policy work

We can think of five main components to consider when evaluating organization management and updating or creating policies and other organization rules.

Four are platforms (constructed by the organization or government) and the fifth component is the more nebulous "cloud" of external guidance.

We can view all five components together in this diagram.

The five components are:

• External guidance: Helpful and relevant voluntary guides to our policies and actions.
• External rules: Laws, regulations, and other legal requirements
• Internal rules: Policies, procedures, and more
• Practice: or action -- what is actually done.
• Mission and business needs, the reason the organization exists in the first place.

The Four Platforms concept

The above components builds upon my Four Platforms to Connect model (which in turn built upon my earlier Three Platforms to Connect compliance framework).

We can view those four platforms with a nice front view and a little perspective, and the idea is that organizations conceptually align and build as needed these four platforms.

External guidance

External guidance is everywhere, the challenge is finding what is good and applicable to the organization, adapting it as needed, and then incorporating it into internal rules (policies and procedures).

Whereas external rules must be properly identified and complied with, external guidance is purely optional. Organizations research and identify helpful guidance, then can adopt that guidance in whole or in part, adapting as needed.

External guidance includes:

• Pretty much anything
• Websites (including this one)
• Books
• Articles
• Cybersecurity and information security frameworks (of which there are many, including my Four Pillars of Cybersecurity)
• Advice from employees, consultants, subject matter experts, and lawyers. (Note that lawyers sometimes will tell you what the law is and what you must do to comply with the law, so that would also be within the "external rule" category)
• Guidance put out by government entities which regulate or enforce an area
• Guidance from business partners

Topics for external guidance include:

• Cybersecurity and information security
• Cybercrime prevention
• Privacy
• Security
• Management and governance
• Creation and updating of internal documents

Cybersecurity frameworks

Cybersecurity frameworks are guidance. Some are too complex for many small and mid-sized organizations. Thus I developed my Four Pillars of Cybersecurity. Links below.

Conclusion

Businesses should understand external guidance in order to speed their adoption of certain best practices, to draft appropriate internal rules, and accomplish their mission.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation, incorporation of best practices, and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.

Additional reading

• Five Components for Policy Work
• External Guidance
  • Cybersecurity Frameworks and Guidance
  • Bandler's Four Pillars of Cybersecurity
  • Cybersecurity review and improvement for your organization - a checklist
  • Introduction to Cybersecurity and Information Security
  • Bandler's Free Starter Cybersecurity Policy
• External Rules
  • Cybersecurity Laws and Regulations Part 1 (general legal overview)
  • Privacy
  • Contract Law - An Introduction
  • Cyber insurance
  • Negligence Law
  • Introduction to Law (Outline)
  • Rules
• Internal Rules
  • Bandler's Three Platforms to Connect
  • Bandler's Fourth Platform to Connect
  • Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all listed in this article)
  • Policies and Procedures (and other governance documents)
  • Policies, Procedures, and Governance of an Organization
  • Policy Checklist
  • Internal Rules Planning
  • Internal Rules Building
  • Rules
• Business needs and mission
• Practice and action

This article is hosted at https://johnbandler.com/external-guidance, copyright John Bandler, all rights reserved.

This article is also available on Medium.com at https://johnbandler.medium.com/external-guidance-c30404f978e9 (though not kept as up to date).

Originally posted 9/19/2022, updated 1/25/2023.