Internal Rules Building

by John Bandler

This analogy to help assess and build organization internal rules can be useful for every organization. A good analogy doesn't have to be perfect, but some (like this) are better than others. I have been using the internal rules platform analogy for some time, which extends well when we examine construction of internal rules.

Recapping the Platforms and Five Components

Bandlers Three Platforms to Connect simple

I use the "platform" analogy when discussing organization mission and compliance.

Within my Three Platforms to Connect for Compliance, there are three areas to consider and align for compliance analysis:

  • Laws and regulations (external rules)
  • Policies, procedures, and other internal rules
  • Practice, action, or what is actually done.Bandlers Four Platforms to Connect (1) inline

Then I add a fourth platform of Mission and Business Needs.

And finally add a fifth component (a cloud) of External Guidance to ensure best practices are considered.

That leaves us with Five Components for Policy Work.Bandler’s Five Components for Policy Work – All

In this article, we are focusing on the internal rules, and how to build and assess them conceptually as a platform.

The "rules platform" analogy is better than the "rules pyramid"

I rethought the traditional "rules pyramid" analogy and created the "rules platform".

One of the problems with the rules pyramid is the analogy breaks down for anything but a fully built set of internal rules.

With the rules "platform", we have a good way to conceptualize how to analyze and build it, no matter what organization, no matter their size, type, and relative maturity.

A small startup organization might be excused if it didn't have a single written policy. Is a two person company violating good practices simply because they do not have a written cybersecurity policy and incident response plan?

My analogy accommodates all circumstances. It recognizes that rules can be unwritten (though organizations need to exercise caution relying upon this). Small startups that grow and mature create culture and written rules little by little. Some organizations create and maintain a library of policies, standards, procedures, and more. The analogy works for all of that.

I discuss this more in my article on rethinking the rules pyramid.

Our finished rules platformBuilding Internal Rules Platform 1 All Built

Let's take a look at what our finished rules platform should look like. It is sturdy (won't collapse), nicely finished and aligns with the other platforms. Thanks to our label, we see this platform includes written rules (policies, procedures, etc.) and unwritten rules.

But we want to see how we could build it, even if we build little by little, over the years.

And we realize not every organization has all of these written documents for all areas of operation.

So next we look at how this platform might be built, for example in a brand new company.

A rules platform relying only on "unwritten rules"Building Internal Rules Platform 2 No Written Rules Yet

I have said this before, but sometimes unwritten rules are not worth the paper they are written on.

That said, we must recognize that organizations and supervisors issue verbal instructions. This plus corporate culture is important towards individual action and needs to be recognized.

We cannot insist every rule be reduced to writing -- that would be overly cumbersome.

And we cannot expect a brand new startup to have a full suite of policies and procedures.

This means the internal rules platform can be built without written rules. Think of the platform as a box, and depending on the strength of that organization culture, the box is paper, cardboard, sheet metal, or thick steel.

Again, I generally do not recommend relying on unwritten rules, for many reasons we won't get into now.

Lets create some policiesBuilding Internal Rules Platform 3 Create Policies

A good way to start building written internal rules is with policies, which are normally general (not specific or detailed) and do not require frequent update or change.

Policies are like pillars, which strengthen our internal rules platform. Good policies are steel reinforced pillars that add substance and bracing to the existing culture and unwritten rules, and ensure mission and compliance align.

Of course, not every policy is good. It is up to the organization to build good, strong policies that fit where the platform is supposed to be.

Now some standardsBuilding Internal Rules Platform 4 Standards

In information security, a standard may be necessary. Standards are more detailed than a policy but are less detailed than a procedure. Standards need to comply with policies, which are higher level documents.

Here, I depict standards as orange pillars that are narrower than the policies. They fill in the gaps the more general policies cannot reach. Good standards provide additional detail that the organization and employees need to do their jobs and configure systems.

Now some proceduresBuilding Internal Rules Platform 5 procedures

Procedures are the most detailed type of written internal rule, so I depict them as narrow columns.

Procedures need to comply with standards and policies.

They generally provide step-by-step instructions to accomplish a task.

The final product, our internal rules platform

Building Internal Rules Platform 1 All Built

I already showed you what our finished internal rules platform looks like, but here it is again now that you know what is inside.

Imagine a well built suite of internal rules, some verbal, some written, all fit and support the platform. The platform is properly aligned with laws and regulations, as well as organization mission.

Employees and the organization know what they need to do, and can focus on doing it, and fulfilling the mission of the organization.


Businesses need to build internal rules and practices that align with business needs and external rules.

We think of our internal rules as a platform, and build them with good culture, verbal instructions, policies, standards, and procedures.

Then  we can think of the Three Platforms and Four Platforms to Connect concepts, consider external rules, business needs, guidance, and more.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, let me know.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

This article is also available on at NOT YET (though not kept as up to date).

Originally posted 5/30/2022, updated 12/16/2023.