Creating cyber security policies

Regardless of size, all businesses that use IT or online services should have a cyber security policy. It doesn’t even have to be a formal policy document, you simply need to choose the means and degree of formality that is right for your circumstances, as long as everyone who works for your business understands its key points.

There is an excellent analysis of how different types and sizes of business need different security structures in a guide for SMEs (small and medium-sized enterprises) produced by the Information Commissioner’s Office.

Regardless of how you document and distribute your policy, you need to think about how it will be used. A cyber security policy has three main functions:

  • To tell people who don’t know what to do (and what not to do).
  • To remind people who have forgotten or fallen into bad habits.
  • To warn people what will happen if they don’t follow your policy.

What your policy needs to cover

Your cyber security policy doesn’t need to be very long; most SMEs should be able to fit theirs onto a single sheet of paper. The most important thing is clarity. You need to explain:

  • The objectives of your policy (ie why cyber security matters).
  • Who has issued the policy and who is responsible for its maintenance.
  • Who is responsible for enforcing cyber security (including user responsibilities).
  • Your key security controls (and where to find out more about them).

The Department of Trade and Industry (a precursor to the current Department for Business, Innovation and Skills) produced a Business Manager’s Guide to Information Security (PDF) that contained an example one-page policy that you can use as a model. 

Staff practices

Not all your security controls will be IT controls. Many of them will relate to what your staff should and should not do. To avoid confusion and the possibility of later disagreement you need to define these practices and make sure your staff understand and follow them.

Larger businesses will want to document these practices, while smaller firms might use a less formal approach.

There are a number of staff practices that should always be documented, however simple your approach, these include:

  • How job applicants are screened and checked before employment.
  • Security awareness training, including how staff can identify your sensitive information and how they should handle it.
  • A clear policy covering remote working, whether from home or elsewhere.
  • A clear policy for business use of personal devices.
  • A clear policy covering private use of company equipment.
  • A clear policy on engaging with social media.
  • Clear initial instructions on what to do if there is a security incident.

Without these you cannot expect your staff to always do the right thing – nor complain or take disciplinary action if they don’t.


You also need to ensure that you keep within the law, particularly the Data Protection Act, and any other regulations that apply.