Five Components for Policy Work

by John Bandler

Organizations can use these five components for policy work when managing, governing, and creating and updating internal rules such as policies and procedures.

These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance -- properly managing and securing information assets such as computer devices, data, networks, and more.

The five components for policy workBandlers Five Components for Policy Work 2022 (1) All

We can think of five main components to consider when doing policy creation or improvement, they are:

  • Mission and business needs: The reason the organization exists in the first place.
  • External rules: Laws, regulations, and other legal requirements.
  • External guidance: Helpful and relevant voluntary guides to our policies and actions.
  • Internal rules: Policies, procedures, and more.
  • Practice or action: what is actually done.

Four components are platforms because organizations get to build, define, and align them in accordance with their strategic and operational needs.

The fifth component is a less concrete "cloud" of external guidance. I made this a cloud (not a platform) because it is less defined, almost infinite, and organizations need to select their guidance and adapt it appropriately to suit their needs.

The three and four platforms conceptsBandlers Three Platforms to Connect simple

Early in the evolution of this thinking, I started with the Three Platforms to Connect compliance framework. It presented a conceptual way to identify external rules, develop internal rules that align with those laws, and then ensure practice follows policy and the law. This is a compliance oriented way of thinking that resonates for some, but not all.

To properly help organizations succeed, we need to add mission and business needs, the Fourth Platform to Connect. Organizations exist to fulfil the mission, serve clients and customers and earn revenue, so most in the organization identify with this platform.

Internal rules and practice can and should align with both external rules and organization mission.

Bandlers Four Platforms to Connect (1) inline

We can view those four platforms with a nice front view and the idea is that organizations conceptually align these four platforms as they build their internal rules and practice. We can also think about a "compliance line" and a "mission line" which I discuss in the Fourth Platform article.

We needed a fifth component of guidance

External guidance is voluminous on a multitude of areas, including best practices for management, for providing whatever good or service the company provides, cybersecurity, privacy, policy management, and more.  So that is the fifth component and it is depicted as a cloud since it is gigantic, amorphous, voluntary, and adaptable.

Bandlers Five Components for Policy Work 2022 (1) All

I think five components is all we need and I don't anticipate adding any more.

This article is short!

Some might say mercifully short, but others will look for more and I provide it.

More details on each component in separate articles linked to below. Then each of those articles has links to even more articles and outside references. I even built an online course devoted to policies and centered on the five components framework.


Businesses can use the five components for policy work to build and improve their policies and other internal rules to further their mission, protect against cybercrime, and comply with legal requirements. I built the concept for cybersecurity and privacy, but it applies to any area of organization management, operation, and compliance.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation, incorporation of best practices, and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, please contact me.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

This article is also available on at (though not kept as up to date).

This article is also available on at (though not kept as up to date).

Originally posted 10/21/2022, updated 12/12/2023.