Internal Rules 

by John Bandler

"Internal rules" is my way of describing any rule an organization creates for itself and its employees, and is an important platform for organization management and governance (including management of digital assets for cybersecurity and privacy).

Many may use the term "policies and procedures" for this, but I like the term internal rules for a number of reasons, and it is one of my platforms in my framework for management. This article provides a landing point for this concept and link to related articles.

This is primarily in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more. But these concepts apply across all areas of organization management.

Internal Rules within Bandlers Three Platforms to Connect diagram

Internal rules within the Three Platforms concept

And I discuss these internal rules within the framework of my Three Platforms to Connect for compliance method which visualizes how legal requirements, internal policy, and organization practice should align.

The three areas to consider for compliance analysis are:

  • External rules: Laws and regulations
  • Internal rules: Policies, procedures, and more
  • Practice: or action -- what is actually done.

Then I introduced the Fourth Platform of Business needs, which brings organization mission and business needs into our conceptual diagram. Mission can include doing good to help individuals and society, earning revenue and business, obtaining donations or grants, surviving, thriving, and growing.

Bandlers Four Platforms to Connect (inline)

Internal rules

Internal rules can include:

  • Verbal directions, unwritten rules, and organization culture (these are important but we need to recognize their limits and the potential for differing perception and recollection)
  • Policies (general rules)
  • Standards (more detailed rules)
  • Procedures (highly detailed steps to accomplish a task)
  • Guidelines (guidance, but not a rule)
  • Other documents whatever their name, such as charters, plans, handbooks, manuals, etc.

Topics for internal rules can include:

  • Cybersecurity
  • Incident response
  • Privacy
  • Conflicts of interest
  • Employee rights and responsibilities in the workplace
  • Anti-discrimination
  • Documents on how to manufacture goods or provide services.

Written internal rules

Written internal rules include policies, procedures, and other governance documents. I discuss these documents in more detail in my article on policies and procedures.

Planning to create or improve internal rulesCreating Internal Rules with Bandler’s Platforms

I created a helpful concept for organizations that are planning to create or update their internal rules and I discuss it in this article on internal rules planning. In sum, we first examine external rules, business needs, external guidance, and practice, and use them to create or improve our internal rules.

Building internal rules

I have reimagined the traditional policy and procedure rules pyramid into the "internal rules platform", and offer a concept helpful as we build our internal rules. I lay it out in this article.


Businesses need internal rules to fulfill their mission and comply with legal requirements.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

This article is also available on at (though not kept as up to date).

Originally posted 5/15/2022, updated 10/31/2022.