Welcome to our new site. If you have any comments we'd appreciate you completing our feedback form.

Do you really need an ITAM policy?

This is a controversial question to be asking when our next masterclass is titled ‘write your own ITAM policy’ but bear with me!!

We definitely need to ‘put out there’ a series of policy statements that document how to achieve ITAM outcomes. These statements definitely need to be included in corporate-approved policies so that all stakeholders have clarity about what they need to do to achieve ITAM outcomes and we have enforcement levers to pull if they fail to do so.

However, because ITAM outcomes are achieved through the interaction of processes performed by a large number of stakeholders such as technology teams, procurement and end users, each of these groups are likely to have their own policy which they align to and may not welcome an additional policy that deals specifically with ITAM. Getting agreement about what goes into an ITAM policy can be as bad as herding cats!

Add to that the need to get formal policies approved by senior management and suddenly getting an ITAM policy in place is a daunting prospect.

What are the alternatives?

If you’ve struggled with the classic approach of defining a separate ITAM policy that is formally approved by senior management, then you’ll be pleased to know there are some alternative approaches that might work better for YOUR organisation.

Incorporate ITAM requirements into existing policies

If the problem is ‘too many policies’ than one option is to incorporate the policy requirements for achieving ITAM outcomes within existing policies. For instance, your IT policy and / or information security policy could be modified to ensure they include all your requirements for effective IT Asset management. The same approach can be used for ITAM requirements that fit best into the procurement policy and end user facing policies such as the acceptable use policy.

There are several advantages to going down this road – for instance, you don’t have to go through the separate approval hoops required to get a stand-alone ITAM policy approved, which can often be difficult and time consuming. It means you don’t need to communicate the ITAM policy to all stakeholders as this will be done for you, allowing you to focus your energies on other things. You also reduce the risk that something you put in your ITAM policy contradicts or clashes with another policy, causing confusion and increasing the risk that your policy can’t or won’t be enforced.

The downside is that while, in my experience, only minor changes are generally required in other policies (best practice is, after all, best practice, no matter the discipline you work in), it can be difficult to negotiate changes. Senior sponsorship is needed to give the other parties the ‘push’ that may be required to get them to make even minor changes, however the fact that you are proposing one less policy could be the carrot that gets the CIO or the governance team on board. Everyone hates the process of agreeing to and getting approval for multiple policies.

Once you have senior management or governance support, there is a three-step process:

Run a workshop to identify which ITAM policy statements are required to achieve ITAM outcomes for YOUR organisation (guess what, we’re running a masterclass to help you do this very thing NEXT MONTH!)

2) Do a gap analysis between what you need in the policies and what is already there. To do this, read through the existing policies with a fine tooth comb to identify which policy statements are covered by which statement in the other policies… yes it’s tedious, but policy work always is!

3) Agree with the owners of the other policies whether to add new policy statements or modify existing statements to ensure ITAM requirements are covered.

The owners of the existing policies will be responsible for communicating any updates or changes, which is a bonus!

Define and publish an ITAM Standard

If the problem is that existing policies cover your needs but you find that people don’t understand how to interpret them to achieve ITAM outcomes, then another approach is to draft and publish an ITAM standard. The standard simply expands and builds on existing policies to explain how assets, specifically, need to be managed to achieve organisational outcomes. It shouldn’t contradict existing policies in any way, it simply should provide an extra level of detail and specificity to help people understand how they should be managing IT assets.

The great thing is that the bar for approval of a standard is much lower than for a policy. You may even get away without approval of the standard by senior management – as with so many things in ITAM, settling for tacit approval can be really helpful. Basically, as long as no one complains too loudly, it’s been approved!

As for enforceability, if someone fails to follow your standard then they are, pretty much by definition, breaching the underlying policy, so the requirement is still enforceable, particularly if you have matched each statement in the standard to its underlying policy statement as part of the standard writing exercise.

The downside is that it is up to you to communicate the standard and explain what it means to the people who need to understand and apply it… but an excuse to spend time talking to people about ITAM is always a good thing!!

If you want to go down this road, then you should:

1) Make sure you understand the existing policies

2) Identify how those existing policies should be reflected in statements in your ITAM standard (guess what! We’re running a course next month that will help you do this NEXT MONTH!!)

3) Double check that none of your requirements conflict with or are absent in the existing policies – if they do you need to either drop the requirements OR work with the owners of those policies to agree amendments to their policy – which we covered in the previous section

4) Draft the standard using a similar format to a policy, but making clear which policies it is subordinate to

5) Communicate the standard to the people who need to apply it,

What Road would you take?!

In reality, you may find you need to incorporate bits of all these approaches. Even if you are taking the classic approach of writing a standalone ITAM policy, you will probably find yourself contributing ITAM requirements to the acceptable use policy as for most organisations that is the only end user facing IT policy. On the other hand, you may have written an ITAM policy with the intention of getting it approved as a standalone policy, but find you are struggling to jump through the approval hoops, so it may be easier to turn it into a standard and take advantage of the fact that no one is complaining to achieve tacit approval.


No matter which tack you take, our ‘Write your own ITAM policy masterclass’ held on XXX will help you identify your ITAM policy / standard requirements, ensure you are aligned with existing policies, and consider the best approach to obtaining approval and ensuring your policy or standard is enforceable when it needs to be

We look forward to seeing you there!