Internal Rules Bandlers Five Components for Policy Work 2022 (2) Internal rules

by John Bandler

"Internal rules" means any rule an organization creates for itself and its employees, and is an important platform for organization management and governance (including management of digital assets for cybersecurity and privacy). Internal rules are one of my Five Components for Policy Work, and within my earlier platform concepts.

Many may use the term "policies and procedures" but governance documents come in many shapes and names. "Internal rules" includes all those documents and also unwritten rules and culture.

I write this primarily in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more. But these concepts apply across all areas of organization management.

Internal Rules within Bandlers Three Platforms to Connect diagram

Internal rules within the Three Platforms concept

And I discuss these internal rules within the framework of my Three Platforms to Connect for compliance method which visualizes how legal requirements, internal policy, and organization practice should align.

The three areas to consider for compliance analysis are:

  • External rules: Laws and regulations
  • Internal rules: Policies, procedures, and more
  • Practice: or action -- what is actually done.Bandlers Four Platforms to Connect (inline)

Then I introduced the Fourth Platform of Business needs, which brings organization mission and business needs into our conceptual diagram. Mission can include doing good to help individuals and society, earning revenue and business, obtaining donations or grants, surviving, thriving, and growing.

Internal rules within the five components for policy work

When we added external guidance, we get the five components for policy work, and here they are viewed from the top.

Bandlers Five Components for Policy Work 2022 (2) Internal rules

Internal rules

Internal rules can include:

  • Verbal directions, unwritten rules, and organization culture
    • These are critical too!
    • But we need to recognize their limits and the potential for differing perception and recollection
  • Policies (general rules)
  • Standards (more detailed rules)
  • Procedures (highly detailed steps to accomplish a task)
  • Guidelines (guidance, but not a rule, but we may write them down)
  • Other governance documents whatever their name, to include bylaws, articles of organization, charters, plans, handbooks, manuals, etc.

Topics for internal rules can include:

  • Cybersecurity
  • Incident response
  • Privacy
  • Conflicts of interest
  • Employee rights and responsibilities in the workplace
  • Anti-discrimination
  • Documents on how to manufacture goods or provide services.

Written internal rules

Written internal rules include policies, procedures, and other governance documents. I discuss these documents in more detail in my article on policies and procedures.

Planning to create or improve internal rules

I created a helpful concept for organizations that are planning to create or update their internal rules and I discuss it in this article on internal rules planning. In sum, we first examine external rules, business needs, external guidance, and practice, and use them to create or improve our internal rules.

Building internal rules

I have reimagined the traditional policy and procedure rules pyramid into the "internal rules platform", and offer a concept helpful as we build our internal rules. I lay it out in this article.

This article seems kind of short

Internal rules are critical for mission, action, and compliance, so why is this article so short? Well, this article is a landing page for that concept, and provides a jump-off point for all of my other articles devoted to planning and building internal rules. You will see many other articles that delve into the details of policies, procedures, and more. I even built an entire online course on the topic.


Internal rules are a critical for every organization to fulfill their mission, comply with legal requirements, and secure themselves.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

This article is also available on at (though not kept as up to date).

Originally posted 5/15/2022, updated 1/3/2023.