Internal Rules

“Internal rules” describes any rule an organization creates for itself and its employees, and is an important platform for organization management and governance (including management of digital assets for cybersecurity and privacy).

Many may use the term “policies and procedures” for this, but internal rules is more inclusive of the many types of documents and also unwritten rules and culture.

Internal rules are one of my Five Components for Policy Work, and within my earlier platform concepts.

Five Components for Policy Work

I write this primarily in the context of information governance — properly managing information assets such as computer devices, data, networks, and more. But these concepts apply across all areas of organization management.

Three Platforms to Connect

Internal rules within the Three Platforms concept

And I discuss these internal rules within the framework of my Three Platforms to Connect for compliance method which visualizes how legal requirements, internal policy, and organization practice should align.

The three areas to consider for compliance analysis are:

  • External rules: Laws and regulations
  • Internal rules: Policies, procedures, and more
  • Practice: or action — what is actually done.

Then I introduced the Fourth Platform of Business needs, which brings organization mission and business needs into our conceptual diagram. Mission can include doing good to help individuals and society, earning revenue and business, obtaining donations or grants, surviving, thriving, and growing.

The Fourth Platform to Connect

Internal rules

Internal rules can include:

  • Verbal directions, unwritten rules, and organization culture (these are important but we need to recognize their limits and the potential for differing perception and recollection)
  • Policies (general rules)
  • Standards (more detailed rules)
  • Procedures (highly detailed steps to accomplish a task)
  • Guidelines (guidance, but not a rule)
  • Other documents whatever their name, such as bylaws, articles of organization, charters, plans, handbooks, manuals, etc.

Topics for internal rules can include:

  • Cybersecurity
  • Incident response
  • Privacy
  • Conflicts of interest
  • Employee rights and responsibilities in the workplace
  • Anti-discrimination
  • Documents on how to manufacture goods or provide services.

Written internal rules

Written internal rules include policies, procedures, and other governance documents. I discuss these documents in more detail in my article on policies and procedures.

Planning to create or improve internal rules

I created a helpful concept for organizations that are planning to create or update their internal rules and I discuss it in this article on internal rules planning. In sum, we first examine external rules, business needs, external guidance, and practice, and use them to create or improve our internal rules.

Building internal rules

I have reimagined the traditional policy and procedure rules pyramid into the “internal rules platform”, and offer a concept helpful as we build our internal rules. I lay it out in this article.


Businesses need internal rules to fulfill their mission and comply with legal requirements.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.

Additional reading

This article was originally published on my website at where I also include links for additional reading, and it may be more current and with improved formatting.

Copyright John Bandler all rights reserved.

Posted to Medium on 8/25/2022 based on my earlier website article. Last updated here on 12/03/2022.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
John Bandler

Cybersecurity, cybercrime prevention, privacy, law, more. Attorney, consultant, author, speaker, teacher. Find me at