Five Components for Policy Work

John Bandler
3 min readNov 9, 2022

There are five components for policy work that organizations can consider for management and when creating and updating internal rules such as policies, procedures, and standards.

These concepts apply across all areas of organization management, though this article is written primarily in the context of information governance — properly managing information assets such as computer devices, data, networks, and more.

The five components for policy work

We can think of five main components to consider when doing policy creation or improvement, they are:

  • Mission and business needs: The reason the organization exists in the first place.
  • External rules: Laws, regulations, and other legal requirements.
  • External guidance: Helpful and relevant voluntary guides to our policies and actions.
  • Internal rules: Policies, procedures, and more (that currently exist).
  • Practice or action: what is actually done.

Four are platforms and the fifth component is the more ambiguous “cloud” of external guidance.

The three and four platforms concepts

I started with the Three Platforms to Connect compliance framework. It presented a conceptual way to identify external rules, develop internal rules that aligns with those laws, and then we can work on ensuring practice follows policy and the law.

To properly help organizations succeed, we also need to add mission and business needs as the Fourth Platform to Connect. Internal rules and practice can and should align with both external rules and organization mission.

We can view those four platforms with a nice front view and a little perspective, and the idea is that organizations conceptually align these four platforms as they build their internal rules and practice.

We needed a fifth, guidance

External guidance is voluminous on a multitude of areas, including best practices for management, for providing whatever good or service the company provides, cybersecurity, policy management, and more. So that is the fifth component and it is depicted as a cloud since it is voluminous and voluntary.

I think five components is all we need, I don’t anticipate adding any more.

I lay out more details on each component in other articles linked to at my site.


Businesses can use the five components for policy work to build and improve their policies (internal rules) to aid in mission accomplishment, protect against cybercrime, and comply with legal requirements.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation, incorporation of best practices, and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.

Additional reading

This article was originally published on my website at where I also include links for additional reading, and it may be more current and with improved formatting.

Copyright John Bandler all rights reserved.

Posted to Medium on 11/08/2022 based on my earlier article on my website. Last updated here on 12/03/2022.



John Bandler

Cyber, law, security, crime, privacy, more. Attorney, consultant, author, speaker, teacher. Find me at