What should be included in an information governance policy document?
An information governance (IG) policy is the foundational document that defines how an organization creates, manages, protects, and disposes of its information assets. A strong policy translates broad principles into clear, enforceable expectations. While the exact structure varies by organization, most effective policies include the following elements.
Purpose and Scope
State why the policy exists and what it covers. Identify the information types, systems, departments, and personnel that fall within scope, and note any explicit exclusions. Connecting the policy to organizational goals—such as legal compliance, risk reduction, and operational efficiency—gives it context and authority.
Governance Roles and Responsibilities
Assign accountability. Name the roles responsible for oversight (for example, an executive sponsor or IG committee), day-to-day program management, and the obligations of all employees. Clear ownership prevents gaps where no one is responsible for a given category of information.
Key Principles and Definitions
Define core terms—record, information asset, retention, disposition—so the policy is interpreted consistently. Many organizations align their principles with recognized standards such as ISO 15489 to support authenticity, reliability, integrity, and usability of records.
Records Lifecycle Requirements
Describe how information should be handled from creation through final disposition. This typically references:
- Classification and metadata expectations
- Retention schedules and legal/regulatory recordkeeping requirements
- Storage, access, and security controls
- Defensible disposition and destruction procedures
- Legal hold and litigation readiness
Compliance, Privacy, and Security
Address how the organization meets applicable legal, regulatory, and contractual obligations, including privacy and data protection. The policy should explain how sensitive or protected information is identified and safeguarded.
Monitoring, Training, and Enforcement
Explain how compliance is measured, how employees are trained, and what consequences follow noncompliance. Effective programs build in audits and reporting.
Review and Maintenance
Specify how often the policy is reviewed and who approves updates. Regulations, technology, and business needs evolve, so a policy should include a defined revision cycle and version control.
A well-drafted IG policy is concise, accessible, and actionable—employees should understand their obligations without needing specialized expertise. For related guidance, see the information governance topic hub.
Sources & further reading
Authoritative government and non-profit references.
- ISO 15489-1 Records management — ISO
- Records management policy and guidance — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). What should be included in an information governance policy document?. Records Management University. https://www.recordsmgmt.org/questions/what-should-be-included-in-an-information-governance-policy-document/
MLA
RM University Editorial. "What should be included in an information governance policy document?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-should-be-included-in-an-information-governance-policy-document/.
Related questions
- Big-bucket vs item-level retention schedules: how do I choose between them?
- Can a company be penalized for keeping data too long under privacy laws even if nothing was breached?
- Can a US company store records in the EU, or do data localization and cross-border transfer rules block it?
- Can executives or board members be held personally liable for information governance failures?
- Can information governance help reduce cloud storage costs, and how?