Information governance

by John Bandler

Information governance is simply information management. Managing your information assets and information systems.

Organization should bring principles of good management to their information assets, just like they want to bring good management to all other aspects of their business.

Good management means exercising due diligence when making decisions that affect information systems.

It means bringing the Five Components of Policy Work to information systems.

It means these general principles:

  • Someone is in charge, and staying on top of important issues and decisions
  • Important stakeholders are consulted regarding important decisions
  • Laws and regulations (external rules) are considered
  • Mission and business needs are considered
  • The organization has written policies and procedures (internal rules) which are reviewed and updated and followed
  • The organization has consulted reliable external guidance (best practices)
  • The organization considers what their practices are and should be
  • The organization trains its people.

A brick and mortar analogy

If an individual or family was considering buying or renting a home and moving, or buying a new car, imagine the research and due diligence that goes into that.

If an organization is considering office or business locations, imagine the research and decision making for that.

But sometimes technology intimidates people, or technology decisions are made on the fly, or the status quo is continued without evaluation.

Clearly, information systems are an important part of business operation, so a commensurate amount of diligence should go into it.

Traditional decision making concepts can be brought to technology.

The three goalsBandler Cybersecurity Info Governance three goals 2023-12-11

The three goals are:

  • Protect - Cybersecurity and cybercrime protection: This is important for legal compliance and accomplishing the mission. Cybercrime risks need to be considered, and appropriate decisions made.
  • Comply - Legal compliance and other legal issues: As above, cybersecurity is a legal duty. Information governance also includes eDiscovery planning. Know what data you are storing and why before a data breach, before a lawsuit.
  • Mission and business needs: Well run businesses can serve their clients and customers the best, accomplish their mission the best, and earn more revenue. Since information systems are so important to every business, it stands to reason that this part of the business should also be managed well.

The five components for policy workBandlers Five Components for Policy Work 2022 (1) All

Policy work is a part of management, because as organizations grow past a certain size, unwritten rules cannot properly be conveyed.

So to best manage, we need to create written documentation.

We can think of five main components to consider when doing policy creation or improvement, they are:

  • Mission and business needs: The reason the organization exists in the first place.
  • External rules: Laws, regulations, and other legal requirements.
  • External guidance: Helpful and relevant voluntary guides to our policies and actions.
  • Internal rules: Policies, procedures, and more (that currently exist).
  • Practice or action: what is actually done.

You need a written policy (probably)Policies and Procedures Bandler Book Front Cover

Organizations will need written rules to help them manage their information systems and cybersecurity.

That's why I wrote a book about it.

What's next?

Organizations can do these things, to a reasonable degree, and improve upon them all periodically.

  • Put a person and a group in charge of information governance
  • Put a person in charge of information security
  • Assess and identify applicable laws and regulations (external rules)
  • Create internal rules (policies and procedures) and continually review, update, and follow them
  • Know your information assets and systems, do an inventory, periodically update and improve upon it
  • Conduct due diligence for decision making about information systems
  • Train your people.

What could go wrong?

Imagine all the bad things that could happen to an organization that doesn't manage information assets well:

  • Data breach, and then you need to work to answer the question "what data was there anyway"
  • Lawsuit, and then you need to work to answer the question "what data are we storing anyway"
  • Inefficiency
  • Accounts forgotten about, lose access, compromised by an attacker
  • Using multiple accounts or software providers for the same service
  • Forget data is being stored in a particular location or application
  • Forget to pay the phone bill, lose the company phone number
  • Forget to pay the internet bill, lose internet access

What could go right or be improved?

Almost everything.

The better you manage your information assets and information systems, the better you can use them. And you are properly managing risks.

There is waste and inefficiency if you have duplicate assets or cannot find them or properly harness them.


This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform and you assume all risk for cybersecurity decisions you make. This is an introduction and more can be written on this topic.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.


Information assets are essential, your organization should consider an inventory of them! See that article below.

If your organization needs help with improving its cybersecurity, feel free to contact me.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

This article is also available on at NOT YET (though not kept as up to date).

Originally posted 12/10/2023, updated 3/14/2024.