External Guidance 

by John Bandler

External guidance is materials or advice that organizations may consult when creating and updating policies or otherwise seeking to improve their practices and action.

Guidance is voluntary, not mandatory (in contrast with legal requirements such as laws and regulations which are required obligations).

These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more. There is no shortage of external guidance on this topic.

External guidance within the five components for policy work

Planning policies with Bandlers Five Components 4 External Guidance

As I have evolved these concepts, we can think of five main components to consider when doing policy creation or improvement.

Four are platforms and the fifth component is the more ambiguous "cloud" of external guidance.

We can view all five components together in this diagram, where we view everything from a top view perspective.

The five components are:

  • External guidance: Helpful and relevant voluntary guides to our policies and actions.
  • External rules: Laws, regulations, and other legal requirements
  • Internal rules: Policies, procedures, and more
  • Practice: or action -- what is actually done.
  • Mission and business needs, the reason the organization exists in the first place.

The Four Platforms concept

Bandlers Four Platforms to Connect (inline)

The above components builds upon my Four Platforms to Connect model (which in turn built upon my earlier Three Platforms to Connect compliance framework.

We can view those four platforms with a nice front view and a little perspective, and the idea is that organizations conceptually align and build as needed these four platforms.

External guidance

External guidance is everywhere, the challenge is finding what is good and applicable to the organization, adapting it as needed, and then incorporating it into internal rules (policies and procedures).

Whereas external rules must be properly identified and complied with, external guidance is purely optional. Organizations research and identify helpful guidance, then can adopt that guidance in whole or in part, adapting as needed.

External guidance includes:

  • Pretty much anything
  • Websites (including this one)
  • Books
  • Articles
  • Information security frameworks (of which there are many)
  • External consultants, legal advice, or subject matter experts
  • Guidance put out by government entities which regulate or enforce an area
  • Guidance from business partners

Topics for external guidance include:

  • Governance and policy creation ideas
  • Cybersecurity and information security
  • Cybercrime prevention
  • Privacy

Examples of specific external guidance includes:

  • Coming soon


Businesses should understand external guidance in order to speed their adoption of certain best practices, to draft appropriate internal rules, and accomplish their mission.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation, incorporation of best practices, and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.

Additional reading

This article is hosted at https://johnbandler.com/external-guidance, copyright John Bandler, all rights reserved.

This article is also available on Medium.com at NOT YET (though not kept as up to date).

Originally posted 9/19/2022, updated 9/19/2022.