Service Management Blog

7 Business-Critical IT Policies & How To Implement Them

5 minute read
Joseph Mathenge

Organizations know that policies are critical to any mission. How do you handle data? How to do you navigate surprise incidents or emergency changes? How do you secure critical information?

Governance is a key element of the service value system—that is, the way you create and deliver value to your customers. The ISO/IEC 38500:2015 standard for governance of IT departments and organizations defines IT governance as the system by which the current and future use of IT is directed and controlled.

According to ITIL® 4, this direction usually comes in two forms: strategies and policies.

  • Strategies set priorities for business activities and investment.
  • Policies establish the requirements for how everyone across the organization handles certain practices, including suppliers, partners, and other stakeholders where relevant.

Strategies are typically spelled out from the CEO and executive leadership. But what are the policies that an organization needs to have in place in other to succeed? Experts suggest a few IT areas that need policy.

Let’s take a look.

What are policies?

Policies are the framework and constraints (guardrails) within which employees can strive for individual and collective success. ISO vocabulary defines a policy as:

“Intentions and direction of an organization, as formally expressed by its top management.”

Developing IT policies

In IT, the scope for policies covers many areas, ranging from high-level, organization-wide policies to specific topical policies that likely affect only IT employees. When developing policies for your organization, consider:

  • Aims and objectives of your organization
  • Strategies adopted by your organization
  • The target group for the policy
  • Structure and processes of your organization

When it comes to policy content, the VeriSM™ service management approach provides three simple clear questions that your policies must answer:

  1. Why is this necessary? Be very clear (within one sentence) as to what the policy objective is.
  2. What needs to be achieved? Don’t explain how you’ll achieve this policy. The related process and/or procedures will do that (provide reference links, if available). Instead, explain the conditions of the policy—what must occur.
  3. How I will know if this is done and it works? Define appropriate measurements to demonstrate compliance. SMART goals will help you get there.

Critical IT policies

So, what are the most critical IT Policies? The ones your business must have? Well, each organization is different. What’s critical to one may not be the same for others.

The golden rule in governance has long been that we cannot outsource oversight.

Most organizations embracing digital transformation have outsourced the need to maintain IT infrastructure and platforms—this used to take up significant policy effort. Depending on your organization’s maturity, you may no longer need many I&O policies, for instance.

If you do have a cloud strategy, it’s likely that your policy focus has shifted to service and data layers. This is where most interaction with technology is now happening, especially when it comes to app development. But that doesn’t mean that you can neglect the underlying layers. Instead, you’ll likely pivot to areas like security and billing.

(Interestingly, most modern app development approaches align to the agile manifesto, which de- emphasizes processes and comprehensive documentation, two elements that are traditionally the bedrock of policies.)

When we look at standards, here’s what we see. The ISO/IEC 20000:2018 standard for Service Management defines only three policies defined that any IT organization should maintain:

  • Service management policy
  • Change management policy
  • Information security policy

You might be wondering about other policies that seem critical.

The Info~Tech Research Group defines other policies that IT organizations need to put in place. These include:

  • Enterprise Architecture policy
  • Data Management policy
  • Asset Management policy
  • Purchasing policy

Your organization may need policy in all seven of these areas; or, maybe only four are appropriate. We’ll briefly look at each one here, then point you to more resources about these practices.

IT policies

Service Management policy

This policy establishes the framework of setting service management objectives in line with the organization’s purpose. This policy includes:

  • Commitments to satisfy applicable requirements
  • Commitments to continually improve the organization’s service management system and services

It is the definitive top management commitment to service management, aligning directly with ISO/IEC 20000 requirements.

Without it, there is no evidence of service management direction from the leadership, potentially leading to a disjointed approach to service management activities across the organization.

(Check out what’s happening in service management today.)

Change Management policy

The intention of a change management policy is to maximize the number of successful service and product changes by ensuring that you’re properly assessing risk, authorizing changes to proceed, and managing the change schedule. (In ITIL 4, this policy is renamed to change enablement.)

The policy defines:

  • Service components and other items that are under the control of change management
  • Categories of change and how they are to be managed
  • Criteria to determine changes that have potential to have a major impact on customers or services

Without this policy, risks of unplanned service disruption or bureaucratic hurdles to smooth change execution are likely to occur (exactly when you don’t need them).

(Learn more about the roles involved in change management and navigating change in the cloud.)

Information Security (InfoSec) policy

This policy spells out the required posture to secure the availability, integrity and confidentiality of business information on IT systems from potential risks, through appropriate controls that align with organizational and regulatory requirements.

For the most part, any Information Security policy comes with a lot of sub-policies covering different topics as per controls, including, among others:

  • Risk assessment
  • Access management
  • Acceptable usage
  • Password management
  • Information classification
  • Disaster recovery

With cyber security risk becoming the #1 focus for most digital organizations, absence of this policy is itself a risk. Without coordinated effort to secure data, your organization’s existence is threatened if a significant attack occurs.

(Learn more about the InfoSec management and cybercrime prevention.)

Enterprise Architecture policy

The Enterprise Architecture policy outlines how IT supports the business mission and operations, through alignment and prioritization of IT strategies and initiatives. It also includes guidelines for designing, planning, implementing, and governing enterprise IT architecture.

Without this policy, your organization risks increased costs and poor performance.

(Understand the role of a system architect and architecture in DevOps environments.)

Data Management policy

This policy focuses on the management and governance of data assets—i.e., documents, databases, and application data files—with a strong focus on data protection and privacy.

Without this policy, you’re risking the misuse, loss, regulatory penalties, or lost opportunity from data usage.

(See how data ethics and the data lifecycle can help you create data policy.)

Asset Management policy

This policy provides guidelines on activities involved in the asset lifecycle, from acquisition, tagging, deployment, usage, maintenance, withdrawal, and disposal.

Absence of this policy would impact the organization financially because you’re not maximizing the ROI of your assets—and you may even be taking a loss.

(Understand what assets are and explore software asset management tips.)

Purchasing policy

This policy provides guidance on acquisition of service components required for delivery of IT services, ensuring value for money and holding suppliers to their contractual commitments.

Without it, the organization can be impacted financially by poor decisions that could lead to:

  • Material loss
  • Litigation
  • Poor third-party service delivery

(Explore cost management strategies and tips.)

Choosing IT policies

Whether it is because of compliance with regulations, need for internal controls, operating requirements, or risk management, the need for IT policies cannot be understated.

With the ever-evolving technology landscape and the strategic drive for digital transformation, ensuring that sound policies that shepherd, not constrain, good practice are an essential ingredient of maturity and excellence for any IT outfit.

Related reading

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing

Business, Faster than Humanly Possible

BMC works with 86% of the Forbes Global 50 and customers and partners around the world to create their future. With our history of innovation, industry-leading automation, operations, and service management solutions, combined with unmatched flexibility, we help organizations free up time and space to become an Autonomous Digital Enterprise that conquers the opportunities ahead.
Learn more about BMC ›

About the author

Joseph Mathenge

Joseph is a global best practice trainer and consultant with over 14 years corporate experience. His passion is partnering with organizations around the world through training, development, adaptation, streamlining and benchmarking their strategic and operational policies and processes in line with best practice frameworks and international standards. His specialties are IT Service Management, Business Process Reengineering, Cyber Resilience and Project Management.