Policy Overview

Published: April 25, 2008


What purpose does policy serve in IT? What can be done so IT pros find company policies helpful and enforceable? This Policy SMF describes the process of translating and documenting organizational goals and values into written policies.

A policy explains what to do in a particular set of circumstances by providing necessary rules and requirements and by setting expectations about conduct. Policies help organizations clarify performance requirements, communicate management’s intent for how work should be done, and establish accountability and the foundation for compliance. Procedures break policies down into detailed steps that describe how work should be done and identify who should do what. To be effective, policies and procedures need to accurately reflect what the organization wants done—they should clearly describe circumstances, rules, options, and activities in a way that is understandable and can be readily put into practice.

Although potentially wide-ranging, policy generally centers on the following topics, which are explained in more detail later in this SMF:

  • Policy governance
  • Security
  • Privacy
  • Partner and third-party relationships
  • Knowledge management
  • Appropriate use

Policy management includes writing policies, validating policies with stakeholders, and developing detailed procedures. It also helps determine how to implement and enforce policy and establishes the ongoing processes for policy improvement and maintenance.

Any organization approaching policy management should be aware of the relationship between its policies and its internal control environment. When management considers a certain goal and its related risks, it must also consider whether to write a policy addressing that goal. The purpose is to communicate a clear standard of behavior to employees so that they know they will be expected to comply. Good policy management focuses policies on the right goals, ensures review and evaluation by the right people, and helps keep policies current.

Policy SMF Role Types

The primary Team SMF accountability that applies to the Policy SMF is the Management Accountability. The role types within that accountability and their primary activities within this SMF are displayed in the following table.

Table 1. Management Accountability and Its Attendant Role Types

Role Type


Role in this SMF

IT Executive Officer

  • Approves the IT organization’s policies
  • Approves policy content and the policy management process


  • Ensures that policies  support organizational goals and regulatory requirements
  • Validates that policies are well-understood and used

IT Manager

  • Manages effectiveness of policy communication and enforcement


  • Communicates policies that are usable and enforceable

IT Policy Manager

  • Works with business, management, and legal resources to define policy requirements
  • Responsible for industry regulatory knowledge
  • Owns policy creation, publication, and maintenance


  • Delivers policies that are effective, current, and applicable; that address business, regulatory, and industry requirements

Change Manager

  • Manages the activities of the change management process for the IT organization


  • Creates an environment where changes can be made with the least amount of risk and impact to the organization

Configuration Administrator

  • Tracks what is changing and its impact
  • Tracks configuration items (CIs) and updates the Configuration Management System (CMS)


  • Ensures a known state at all times

Goals of Policy Management

Successful policy management should result in documented, up-to-date guidelines that address the desired actions and behaviors of an organization. More specifically, it should ensure that:

  • Policies accurately capture management’s intent concerning the behaviors of the organization.
  • Policies contain clear statements of rules, but their implementation is carried out through procedures and employee judgment.
  • Policies are communicated consistently and effectively across the organization.
  • Policies are defined in ways that take into account their eventual application and evaluation.

Table 2. Outcomes and Measures of the Policy SMF Goals



Policy supports management objectives

Audits of policies indicate that they appropriately reflect management objectives.

Employees utilize policy

There are no audit issues related to activities defined in policies.

Regulatory compliance

All regulatory audits are passed with no deficiencies. For further information about regulatory compliance, see Understanding Regulatory Compliance on TechNet.

Organizational compliance

All compliance audits are passed with no deficiencies (for example, security, privacy, or standards of conduct).

Key Terms

The following table contains definitions of key terms found in this guide.

Table 3. Key Terms




A deliberate plan of action to guide decisions and achieve rational outcomes. (This definition deals with human-readable descriptions of desired behavior, not machine-readable descriptions).

IT alignment

A state when the technical and business goals and strategies of the IT organization completely match the goals and strategies of the overall business.


A detailed description of how work will be done by people or systems. It is the method for applying and implementing policy.


A set of interrelated tasks that, taken together, produce a defined, desired result. Policies are translated into systems, resources, and processes to operate the business.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.


Get the Microsoft Operations Framework 4.0

Solution Accelerators Notifications

Sign up to learn about updates and new releases


Send us your comments or suggestions