When Information Governance and IT Security Policies Collide

Establishing a clear demarcation between information governance policies and IT security policies is essential for good organisational governance, regulatory compliance, and effective risk management. Policies relating to information governance and IT security are often merged into a single document or framework, which creates confusion about responsibilities, weakens accountability, and reduces the effectiveness of both disciplines.

The Difference Between Information Governance and IT Security

Information governance and IT security address different aspects of how information is handled.

Although these areas overlap - both aim to protect information - they operate at different levels. Information governance establishes what information should exist, how it should be managed, and who is responsible for it, while IT security determines how technology protects that information.

 Watch the short video below to see how Policy Management as a Service can now incorporate your organisation’s information governance policies.

Problems That Occur When Information Governance and IT Security Policies Are Combined

Combining these policies can cause problems such as -

Roles and responsibilities become unclear: Information governance is often owned by data protection officers, governance and compliance teams, legal departments and records managers. IT security is usually led by technical security professionals or IT departments. When policies are merged, it can become unclear who is accountable for particular decisions. For example, a data retention rule is a governance issue, but the technical enforcement mechanism may sit within IT. Without separation, responsibility can easily fall into gaps between teams.

Policy clarity is reduced: Governance policies are typically written for a broad organisational audience - including senior leadership, operational teams, and compliance functions. IT security policies, by contrast, may contain more operational detail and technical language. When the two are merged, the resulting documents can become overly complex, making them harder for non-technical staff to understand and follow.

Regulatory alignment can be weakened: In the UK, frameworks such as the UK GDPR, the Data Protection Act 2018, and various sector-specific requirements place strong emphasis on accountability, documentation, and governance structures. These regulations expect organisations to demonstrate clear oversight of information assets, data protection responsibilities, and lifecycle management. Adding IT security policy content to information governance policies risks diminishing the strategic importance of the governance content and may also create challenges during audits or regulatory reviews.

Why Separate Policy Domains Support Stronger Governance

Maintaining separate policy domains should support better organisational culture and accountability. Information governance is its own discipline and the idea that managing information responsibly is a shared organisational responsibility should be reinforced.

This does not mean these two domains should operate in isolation, on the contrary they must work closely together. Governance policies should define information classifications, retention rules, and ownership structures, while IT security policies should define  the technical controls that enforce those requirements. The relationship is therefore complementary rather than hierarchical.

Building Distinct but Aligned Policy Frameworks

In practice, the most effective organisations establish distinct but aligned policy frameworks. Information governance policies set the principles for how information is created, managed, shared, and retained. IT security policies define the technical provisions used to protect that information. Cross-references between the two ensures there is consistency without conflating their purposes.

Contact us to find out how Protocol Policy Systems help organisations build more resilient, transparent, and effective information management practices.