Five Components for Policy Work

Five Components for Policy Work

by John Bandler

Organizations can use these five components for policy work when managing, governing, and creating and updating internal rules such as policies and procedures.

These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance -- properly managing and securing information assets such as computer devices, data, networks, and more.

The five components for policy work

We can think of five main components to consider when doing policy creation or improvement, they are:

• Mission and business needs: The reason the organization exists in the first place.
• External rules: Laws, regulations, and other legal requirements.
• External guidance: Helpful and relevant voluntary guides to our policies and actions.
• Internal rules: Policies, procedures, and more.
• Practice or action: what is actually done.

Four components are platforms because organizations get to build, define, and align them in accordance with their strategic and operational needs.

The fifth component is a less concrete "cloud" of external guidance. I made this a cloud (not a platform) because it is less defined, almost infinite, and organizations need to select their guidance and adapt it appropriately to suit their needs.

The three and four platforms concepts

Early in the evolution of this thinking, I started with the Three Platforms to Connect compliance framework. It presented a conceptual way to identify external rules, develop internal rules that align with those laws, and then ensure practice follows policy and the law. This is a compliance oriented way of thinking that resonates for some, but not all.

To properly help organizations succeed, we need to add mission and business needs, the Fourth Platform to Connect. Organizations exist to fulfil the mission, serve clients and customers and earn revenue, so most in the organization identify with this platform.

Internal rules and practice can and should align with both external rules and organization mission.

We can view those four platforms with a nice front view and the idea is that organizations conceptually align these four platforms as they build their internal rules and practice. We can also think about a "compliance line" and a "mission line" which I discuss in the Fourth Platform article.

We needed a fifth component of guidance

External guidance is voluminous on a multitude of areas, including best practices for management, for providing whatever good or service the company provides, cybersecurity, privacy, policy management, and more.  So that is the fifth component and it is depicted as a cloud since it is gigantic, amorphous, voluntary, and adaptable.

I think five components is all we need and I don't anticipate adding any more.

This article is short!

Some might say mercifully short, but others will look for more and I provide it.

More details on each component in separate articles linked to below. Then each of those articles has links to even more articles and outside references. I even built an online course devoted to policies and centered on the five components framework.

Conclusion

Businesses can use the five components for policy work to build and improve their policies and other internal rules to further their mission, protect against cybercrime, and comply with legal requirements. I built the concept for cybersecurity and privacy, but it applies to any area of organization management, operation, and compliance.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation, incorporation of best practices, and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, please contact me.

Additional reading

• Five Components for Policy Work (this page)
  • External Guidance
    • Cybersecurity Frameworks and Guidance
    • Bandler's Four Pillars of Cybersecurity
    • Everything in this website is guidance
    • Cybersecurity review and improvement for your organization - a checklist
    • Introduction to Cybersecurity and Information Security
    • Bandler's Free Starter Cybersecurity Policy
    • Risk
  • External Rules
    • Cybersecurity Laws and Regulations Part 1 (general legal overview and link to Part 2)
    • Privacy
    • Cyber insurance
    • Law
    • Rules
    • Cyberlaw
    • Introduction to Law (Outline)
  • Internal Rules
    • Bandler's Three Platforms to Connect
    • Bandler's Fourth Platform to Connect
    • Policies and Procedures (and other governance documents)
    • Policies, Procedures, and Governance of an Organization
    • Policy Checklist
    • Internal Rules Planning
    • Internal Rules Building
    • ENTER: Five Steps for Governance Documents
    • Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all listed here)
    • Bandler's Free Starter Cybersecurity Policy
  • Mission and Business Needs
  • Practice and Action
• Policy Project Planning and Execution
• My online course on Corporate Security Policies at Infosec Institute (now live!)
  • Public landing page at Infosec, https://www.infosecinstitute.com/skills/learning-paths/corporate-security-policies/
  • Learning portal page, https://app.infosecinstitute.com/portal/skills/path/18623
  • My author page at Infosec
  • BANDLER50 is my 50% off coupon at Infosec, learn more

This article is hosted at https://johnbandler.com/five-components-for-policy-work, copyright John Bandler, all rights reserved.

This article is also available on Medium.com at https://johnbandler.medium.com/five-components-for-policy-work-e4441f36fa55 (though not kept as up to date).

This article is also available on LinkedIn.com at https://www.linkedin.com/pulse/five-components-policy-work-john-bandler (though not kept as up to date).

Originally posted 10/21/2022, updated 12/12/2023.