A lack of rules can result in severe vulnerabilities because employees do not know how they should react if there is an incident, for example. Problems can also result from rules that are outdated, impracticable, or not clearly formulated.
The importance of these overarching organisational regulations increases with the complexity of the business processes and the scope of information processing at hand, but also with the protection requirements of the information to be processed.