Six Keys to Sound IT Management "Policy and Procedure"

What's the purpose of IT policy and procedure?  Is it to limit creative use of technology?  Is it to place administrative burdens that serve no purpose?  Is it to just be controlling?  If this is the way "policy and procedure" is viewed, the game has already been lost.  The goal of IT policy and procedure is to maximize IT value and promote the most productive usage of IT products and services.  Now you just need to convince your end-users of that.

Embracing the Purpose of IT Management Policy and Procedure

In fact, IT management policies, and related procedures, are often used to limit and control technology utilization, lower operating costs, and limit risk exposure (financial, security, and otherwise). From this perspective, policies and procedures are a necessary, and at times, intrusive, means to an end. However, the story does not have to end there. When used effectively, "policy and procedure" can also be to achieve value added productivity and results. Value added policies and procedures can promote productivity, minimize redundant work effort, and deliver consistency in performance and results.

  • When policies are properly defined and implemented, decisions can be made with greater confidence and independence.
  • When procedures are properly defined and implemented, internal and external staff can act with greater certainty and self-reliance.
  • The key is alignment ... to create and apply sound, viable "policies and procedures" designed to match business goals and objectives.

Policy vs. Procedure – What’s the Difference?

Policies and procedures are distinct entities, used in tandem to drive IT operations, strategies and decisions. As management terms, they are often used interchangeably, but in reality, policies and procedures are not one and the same.

Policies are specific statements of principles and strategy, providing a "what and why" basis for consistent planning and decision making. Policies can be implied (action becomes policy) or expressed (policy drives action). Implied policies may not exist in documented form, but they become part of the operational culture through repeated patterns of planning and action. Expressed policies are created through detailed planning, and are applied through formal action. In any practical work environment, implied and expressed policies will co-exist.

Procedures provide the actionable steps and activities needed to translate ideas into action. By definition, procedures are always expressed, laid out as a series of steps and activities to be executed for a specific purpose and in a specific order. Procedures support policies, but can also exist without a corresponding policy entity.

Common Types of Policies and Procedures

  • Acceptable Use Policies: Setting guidelines for the implementation and usage of end-user technology, including individual computers, networks, internet, intranet, e-mail, voicemail, telecommunications and related systems and services.  (Read about email usage policies).
  • Security Policies: Setting security guidelines for individual computers and shared systems, including network access, data usage, access, retention, and confidentiality, passwords, virus protection, remote access, and physical security.  (Read about data security policies).
  • Disaster Recovery Policies: Setting guidelines for disaster recovery and business continuity practices and procedures.  (Download Disaster Recovery Plan template).
  • Technology Standards Policies: Setting guidelines for the selection and implementation of technology standards, determining the type of systems and services to be utilized within the business organization, including product selection, acquisition, installation, and disposal.  (Read about technology standards).
  • Service Related Policies: Setting guidelines for the development and delivery of IT services, including installation, support, maintenance, project management, strategic planning and training.  (Read about management standards).
  • IT Organizational Policies: Setting guidelines for the creation of the IT organization, including the IT mission, roles and responsibilities, organizational structures (decentralized vs. centralized), organizational authority, staffing structure, and service goals.
  • IT Operational Policies: Setting guidelines for the execution of internal IT operations, including systems administration, change management, systems configuration, technical design, product testing and evaluation, software development and related operational services.

To achieve all of the above, and also provide a reasonable opportunity to lower costs, save time and enhance operational productivity.   "Sound" policy and procedure provides added value – it does more than control, it contributes.

The Six (6) Keys of Sound Policy and Procedure

  1. Policy and procedure must be purposeful to fill defined needs and serve an actual purpose.
  2. Policy and procedure must be relevant and aligned with actual needs and matched to the intended purpose.
  3. Policy and procedure must be fully useable, actionable and capable of implementation and enforcement.
  4. Policy and procedure must be flexible for adaptation to reasonable variations and exceptions.
  5. Policy and procedure must be credible and fully justified and enforceable in a consistent manner.
  6. Policy and procedure must be developed and implemented with end-user input and buy-in.

When appropriately combined, these six (6) keys form a "roadmap" to guide development actions and as benchmark to meaure resulting success.  If any one "key" stands out, it is the need for flexibility - to respond to changing circumstances and end-user feedback.  It is possible to achieve consistent results with built-in flexibility - and that is the overall goal.

Delivering Sound Policy and Procedure

Policy and procedure development begins with an examination of goals, needs and capabilities.  In order to realize intended results (according to the six (6) keys listed above), the following questions must be fully considered and addressed:

  • What is the current business need (i.e. problem to be solved, or improvement/advancement to be made)?
  • How can policy and/or procedure be used to meet this need?
  • How will any new policies and/or procedures be applied within the organization (i.e. to the entire organization or specific departments)?
  • What is the expected life span of any new policies and/or procedures (long term or short term)?
  • How will the current organization be impacted by the implementation of any new policies and/or procedures?
  • Will there be any negative consequences from the implementation of any new policies and/or procedures?
  • Will there be any internal or external resistance to the implementation of any new policies and/or procedures, and if so, how can this resistance be overcome or mitigated?
  • What is required production format for any new policies and/or procedures (considering paper or paperless, formal or informal)?
  • How will any new policies and/or procedures be developed (in terms of tasks, time and resources)?
  • Who will have input into the development of any new policies and/or procedures?
  • Who must approve the development and implementation of any new policies and/or procedures?
  • How will any new policies and/or procedures be introduced and communicated within the organization?
  • Who will be responsible for the implementation and maintenance of any new policies and/or procedures?
  • How will any new policies and/or procedures be evaluated for success?

Once you can answer the questions listed above, you will have created an informational "foundation" upon which specific policies and procedures can be built.  While it will take some time and effort, a comprehensive portfolio of well planned, relevant and realistic policies and procedures will go a long way towards realizing your IT management vision and maximizing the return on all IT service investments.

Continue with an illustrated view of IT policy planning and development in our informative infographic:  Fundamentals of IT Management Policies.

About Us- has been around since 2001.  What will you find here?  We have articles (covering a wide range of topics relating to our IT service strategy and project fast tracking methodologies).  We have templates and whitepapers to download.  We have our series of IT management infographics.  And, we have our "Toolkit productivity packages", combining "education and execution" - with time-saving concepts, steps and templates packaged in digital downloads.  Our current Toolkit offerings include the Fast Track Project Toolkit and IT Service Strategy Toolkit.

Learn more about the Service Strategy Toolkit from



If you are, then you need the IT Service Strategy Toolkit from! The Toolkit teaches you how to "add value" to IT projects and services -- using our time-saving "service strategy process". It's ready for instant download, filled with 400+ pages of steps, guidelines, practices and templates. Find Out More

Featured Management Topic: Project Fast Tracking

Strategic fast tracking is a streamlined project management process, used to level the playing field when "project problems" get in the way of on-time success. Our informative "fast tracking" article series explains more:

Part 1: What is Strategic Fast Tracking?

Part 2: Evaluating Projects for Fast-Track-Ability

Part 3: Pinpointing Project Priorities

Get an illustrated view of the fast tracking process in the "Step-by-Step to a Fast Tracked Project" infographic.

Articles, Tips & Offers Right to Your Inbox

Sign up for the newsletter and be the first to know about our latest blog articles, templates, white papers, infographics, and special offers.

We won't overload your inbox and we don't share or sell subscriber information. Just enter your email address below.