Five Components for Policy Work

by John Bandler

I have developed five components for policy work that organizations can consider when creating internal rules such as policies, procedures, and standards.

These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more. There is no shortage of external guidance on this topic.

The five components for policy workBandler’s Five Components for Policy Work – All

As I have evolved these concepts, we can think of five main components to consider when doing policy creation or improvement.

Four are platforms and the fifth component is the more ambiguous "cloud" of external guidance.

We can view all five components together in this diagram, where we view everything from a top view perspective.

The five components are:

  • Mission and business needs, the reason the organization exists in the first place.
  • External rules: Laws, regulations, and other legal requirements.
  • External guidance: Helpful and relevant voluntary guides to our policies and actions.
  • Internal rules: Policies, procedures, and more (that currently exist).
  • Practice: or action -- what is actually done.

The Four Platforms conceptBandlers Three Platforms to Connect simple

The above components builds upon my Four Platforms to Connect model (which in turn built upon my earlier Three Platforms to Connect compliance framework.

We can view those four platforms with a nice front view and a little perspective, and the idea is that organizations conceptually align and build as needed these four platforms.

Bandlers Four Platforms to Connect (inline)

More details

I lay out more details on each component in other articles linked to below.


Businesses need to build and improve their policies (internal rules) to aid in mission accomplishment, protect against cybercrime, and comply with legal requirements.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation, incorporation of best practices, and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

This article is also available on at (though not kept as up to date).

Originally posted 10/21/2022, updated 11/08/2022.