Policies are an integral element within an organisation’s defence strategy. Though quite often overlooked, they inform the way cyber security threats are handled by employees. They also provide guidance on how to properly use defensive technology, whilst clearly demonstrating organisational support for cyber security. Today then we outline some important IT security policies that you should have in place. All the key security frameworks such as Cyber Essentials, GDPR and ISO 27001 are heavily based upon having excellent policies and policy management.

Top tip

Before we get into the actual policies, organising and structuring them is key. The ICO suggests that large organisations should have anywhere up to 50 policies in place. Whilst we’d suggest that smaller companies should aim for up to 12, managing these can still be difficult. Consider then adopting a 3-tiered approach:

  • Management policies
  • Employee policies
  • Joint policies

A good portion of the policies you should have will only need to be read and understood by the management team. There will then be some that employees should have access to, either in part or in full. These should be included within a staff handbook – more on that below. Joint policies are simply those which should then be made available to all, and might include acceptable use and bring your own device (BYOD). Assuming that you agree with this suggestion, we’ll begin with some key management policies.


An obvious entry perhaps but one which nevertheless must be in place. All IT security policies should be prepared with a purpose and scope in mind. They should then lay out the procedures involved. The main security policy can be seen as a master document, outlining the rules and expectations for user / employee behaviour. Consequences for not adhering to the rules should be made clear. All risks within the organisation should be listed along with guidelines on how to reduce them. If you have a staff handbook, this policy can be added at the start of the security section. It is here where you can also add information explaining what the policy / policies are for – i.e., they protect the confidentiality, integrity and availability of systems and data.


A ROPA policy is one means of ensuring that your organisation is compliant with the GDPR. As stated in Article 30, “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.”

This policy lays out your data processing practices and activities. Typically it includes HR, marketing and any third-party activities which require personal data to be processed. Once you have a ROPA policy in place it then becomes far easier to identify the risks involved.


This is a statement which sets out and defines some or all of the ways an organisation collects, uses and manages a customer or client’s data. Personal information can be anything that is used to identify an individual and typically includes the following:

  • Name
  • Address
  • Date of birth
  • Marital status
  • Contact information (i.e., an email address)
  • Credit information

The type of organisation informs exactly what information can or should be gathered. Sometimes referred to as a privacy notice, this is a critical aspect of any security infrastructure.

EMPLOYEE POLICY: STAFF HANDBOOK with security policies

You may not have expected this to be included but there is no doubting the importance of a good staff handbook. You can have all the policies in the world but getting an employee to take notice of them is harder than it is to simply give them one of these on day 1. Indeed, all of your policies should be found within and we’d advise you to require staff to sign a policy acknowledgement. Your staff handbook should be a work-in-progress given the nature of policies in general, and it is far easier to make updates in this way. We would advise that this live policy is updated every 6 months, with all employees required to confirm that they have read and understood the changes made.


This outlines the acceptable use of computer equipment. Typically, this is where you will define the inappropriate use of information systems and the risks that may then be caused. An example of this is if an employee accesses data through a company computer for reasons not related to their role.

It is not uncommon for an organisation to require employees to sign an acceptable use policy before they are granted access, log in details etc.

Other important policies

Here are some more you should have – use this list to gauge how robust your own security framework is:

Management policies

  • Back-up policy
  • Data breach response policy
  • Disaster recovery plan policy
  • Risk assessment standards and procedures policy

Employee policies

  • Change management policy
  • Incident response policy
  • Password / passphrase creation and management policy
  • Remote access policy (this is more important in the post-COVID world)
  • Security awareness and training policy

Remember to include these in the staff handbook, either in full or through critical snippets!

Joint policies

  • Bring your own device (BYOD) policy

In this article, we have attempted to list off some important IT Security policies. The number and nature of your own policies will largely depend upon the type of business you are operating. For a more comprehensive assessment, feel free to contact our cyber security experts. They’ll be happy to steer you through, ensuring that your cyber awareness increases along the way.

*The ICO provides an excellent breakdown of ROPA here.