External Guidance

John Bandler
3 min readDec 3, 2022

External guidance is materials or advice that organizations may consult when creating and updating policies or otherwise seeking to improve their practices and action.

Guidance is voluntary, not mandatory (in contrast with legal requirements such as laws and regulations which are required obligations). So organizations can seek guidance, and then are free to adopt, adapt, or disregard that guidance as they see fit.

These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance — properly managing information assets such as computer devices, data, networks, and more. There is no shortage of external guidance on this topic.

External guidance within the five components for policy work

Five Components for Policy Work

We can think of five main components to consider when evaluating organization management and updating or creating policies and other organization rules.

Four are platforms (constructed by the organization or government) and the fifth component is the more nebulous “cloud” of external guidance.

We can view all five components together in this diagram.

The five components are:

  • External guidance: Helpful and relevant voluntary guides to our policies and actions.
  • External rules: Laws, regulations, and other legal requirements
  • Internal rules: Policies, procedures, and more
  • Practice: or action — what is actually done.
  • Mission and business needs, the reason the organization exists in the first place.

The Four Platforms concept

Four Platforms to Connect

The above components builds upon my Four Platforms to Connect model (which in turn built upon my earlier Three Platforms to Connect compliance framework).

We can view those four platforms with a nice front view and a little perspective, and the idea is that organizations conceptually align and build as needed these four platforms.

External guidance

External guidance is everywhere, the challenge is finding what is good and applicable to the organization, adapting it as needed, and then incorporating it into internal rules (policies and procedures).

Whereas external rules must be properly identified and complied with, external guidance is purely optional. Organizations research and identify helpful guidance, then can adopt that guidance in whole or in part, adapting as needed.

External guidance includes:

  • Pretty much anything
  • Websites (including this one)
  • Books
  • Articles
  • Information security frameworks (of which there are many)
  • Advice from employees, consultants, subject matter experts, and lawyers. (Note that lawyers sometimes will tell you what the law is and what you must do to comply with the law, so that would also be within the “external rule” category)
  • Guidance put out by government entities which regulate or enforce an area
  • Guidance from business partners

Topics for external guidance include:

  • Cybersecurity and information security
  • Cybercrime prevention
  • Privacy
  • Security
  • Management and governance
  • Creation and updating of internal documents


Businesses should understand external guidance in order to speed their adoption of certain best practices, to draft appropriate internal rules, and accomplish their mission.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation, incorporation of best practices, and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.

Additional reading

This article was originally published on my website at https://johnbandler.com/external-guidance/ where I also include links for additional reading, and it may be more current and with improved formatting.

Copyright John Bandler all rights reserved.

Posted to Medium on 12/03/2022 based on my earlier article on my website. Last updated here on 12/03/2022.



John Bandler

Cyber, law, security, crime, privacy, more. Attorney, consultant, author, speaker, teacher. Find me at JohnBandler.com.