External Guidance 

by John Bandler

External guidance is materials or advice that organizations may consult when creating and updating policies and seeking to improve their practices and action.

Guidance is voluntary, not mandatory (in contrast with legal requirements such as laws and regulations which are required obligations). This means organizations can seek guidance, and then are free to adopt, adapt, or disregard that guidance as they see fit.

These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more. There is plenty of external guidance on this topic, so the challenge is finding something helpful and properly adapting it.

External guidance within the five components for policy workBandlers Five Components for Policy Work 2022 (5) External guidance

We can think of five main components to consider when evaluating organization management and updating or creating policies and other organization rules.

Four are platforms (constructed by the organization or government) and the fifth component is the more nebulous "cloud" of external guidance.

We can view all five components together in this diagram.

The five components are:

  • External guidance: Helpful and relevant voluntary guides to our policies and actions.
  • External rules: Laws, regulations, and other legal requirements
  • Internal rules: Policies, procedures, and more
  • Practice: or action -- what is actually done.
  • Mission and business needs, the reason the organization exists in the first place.

Guidance rounded out my prior conceptsBandlers Four Platforms to Connect (1) inline

Guidance is the fifth and final component.

I started with the Three Platforms to Connect compliance framework, then added mission to make four with the Four Platforms to Connect model.

We can view those four platforms with a nice front view and a little perspective, and the idea is that organizations conceptually align and build as needed these four platforms.

External guidance

External guidance is everywhere, the challenge is finding what is good and applicable to the organization, adapting it as needed, and then incorporating it into internal rules (policies and procedures).

Whereas external rules must be properly identified and complied with, external guidance is purely optional. Organizations research and identify helpful guidance, then can adopt that guidance in whole or in part, adapting as needed.

External guidance includes:

  • Pretty much anything
  • Websites (including this one)
  • Books
  • Articles
  • Cybersecurity and information security frameworks (of which there are many, including my Four Pillars of Cybersecurity)
  • Advice from employees, consultants, subject matter experts, and lawyers. (Note that lawyers sometimes will tell you what the law is and what you must do to comply with the law, so that would also be within the "external rule" category)
  • Guidance to comply with external rules put out by the government entities which regulate or enforce that area
  • Guidance from business partners

Topics for external guidance include:

  • Cybersecurity and information security
  • Cybercrime prevention
  • Privacy
  • Security
  • Management and governance
  • Creation and updating of internal documents

Cybersecurity frameworks

Cybersecurity frameworks are guidance and best practices.

There are a number of cybersecurity frameworks that are completely free and well respected, including the NIST Cybersecurity Framework. Others may be proprietary and require payment or subscription or acceptance of licensing terms.

My Four Pillars of Cybersecurity is a simple cybersecurity framework any organization can adopt.

I discuss frameworks further in other articles.


Businesses should understand external guidance in order to speed their adoption of certain best practices, to draft appropriate internal rules, and accomplish their mission.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation, incorporation of best practices, and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.

Additional reading

This article is hosted at https://johnbandler.com/external-guidance, copyright John Bandler, all rights reserved.

This article is also available on Medium.com at https://johnbandler.medium.com/external-guidance-c30404f978e9 (though not kept as up to date).

Originally posted 9/19/2022, updated 12/17/2023.