Policy Project Planning and Execution

by John Bandler

This page is about planning and executing the policy project.

As they said in the army, remember the 7 p's:

  • Proper prior planning prevents really poor performance.

Sometimes, we don't have time to plan as well as we would like, but we still need to take some time to properly direct our actions and that of others.

Document projects that are planned and managed well help ensure:

  • The final document is of high quality, practical, helps the organization and is legally compliant
  • The organization is improved through the project process
  • The team is built through the project process
  • Each individual on the team or working on the project is improved.

Planning the policy project

In planning, we want to think about all that goes into a policy, where we are now (current state, or "as-is") and desired outcome (future state, or "to-be").

In planning, it is helpful to think about the five components for policies.Bandler’s Five Components for Policy Work – All

The five components are:

  • External guidance: Helpful and relevant voluntary guides to our policies and actions.
  • External rules: Laws, regulations, and other legal requirements
  • Internal rules: Policies, procedures (and more) and how to build them
  • Practice: or action -- what is actually done.
  • Mission and business needs, the reason the organization exists in the first place.

These five components builds upon my Three Platforms to Connect for compliance and the Fourth Platform of mission (business needs). I have built out articles on most of the components.

We need to think about these important factors for the policy project:

  • Time
  • Cost
  • Scope
  • Quality

We also need to think about who will be involved in the policy project, including:

  • Doers (workers)
  • Internal vs. external
  • Approvers
  • Consulted
  • Informed
  • Subject matter experts (SMEs)

Realistically, I am aware that not every organization plans every policy update or creation. So I created a plan for that in my Infosec Institute course (coming soon).

Executing and managing the policy project

Executing and managing the policy project requires incorporating all of our planning and steering a team towards the finish line.

A good policy project not only results in a quality final product (documents), but builds the individuals and the organization during the process. This process should take place in the context of the Five Components for Policy Work as mentioned above.

Good internal documentation is created not just by slapping "good documents" down as the new rule, but as a process of discovery, discussion, and collaboration, resulting in documents that work and are not just "shelf-ware".

Important areas for project management include:

  • Properly evaluating the Five Components for Policy Work, including
    • Mission and business needs
    • External rules (laws and regulations)
    • Internal rules that currently exist
    • Practices (current and desired)
    • External guidance
  • Understanding the purpose of internal rules and various document types
  • Planning the project (see above)
    • Evaluating current state and desired end state
  • Project management basics
  • Starting the project
  • Evaluating the scope and guarding against scope creep
  • Establishing deadlines, phases, subprojects, deliverables, milestones
  • Reviewing existing rules
  • Brainstorming
  • Issuance and feedback on document drafts
  • Resolving issues and differences of opinion
  • Moving the document towards near-final
  • Gaining approval
  • Finalizing the document
  • Distributing the document, training on it, implementing it
  • Continual usage and review
  • Evaluating when to restart the project.


Businesses should plan (ideally) and then properly manage a policy project to gain efficiency and improvements during the project and a quality result. Good policies help the organization improve, accomplish their mission, protect from cybercrime, and comply with legal requirements.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation, incorporation of best practices, and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to reach out to me. If you are looking for more details on policies and policy projects, see this website and my online course at Infosec Institute titled "Corporate Security Policies".

Additional reading

This article is hosted at https://johnbandler.com/policy-project-planning-and-execution, copyright John Bandler, all rights reserved.

Originally posted 10/26/2022, updated 5/30/2024.