How to create an IT Security Policy for your business

writing a document

How to create an IT Security Policy for your business

writing IT security policy

Why should you have an IT Policy ?

Having clear defined rules about use of IT in your business sets out what your employees can and can’t do when they are at work, hence an IT Security Policy is highly recommended. Formally documenting  boundaries ensures:

  • Productivity is maximised – staff are doing what they should be doing and reducing the need for disciplinary action or dismissal
  • It will protect your customers
  • Avoid illegal acts by your employees ensuring your business doesn’t end up in court

What should an IT Policy cover ?

With the increased popularity of social networking sites may employers having to write up or update their existing policy to provide guidance to employees as to what is expected of them. A typical IT policy would cover:

  • Email and internet use
  • Software use
  • Data protection – if you store personal and sensitive data about your customers, you employees will need to adhere to data protection rules
  • Security
  • Working from home
  • Using Portable Company Devices (and USB memory sticks)

The first step in formulating your IT policy is to look at what could go wrong and think how this could be prevented. It’s always a good idea to speak with your employees when formulating your policy, it helps to gain their support for the final policy which is a good thing for your business and for them.

Where to start …

Formulating an IT Security Policy can be quite time consuming therefore an independent HR consultant might be able to provide a cost-efficient solution that is fully tailored to your circumstances.
In addition, there are plenty of free templates available to download from the internet to give you a starting point, but these are generic documents so may not be appropriate to your requirements or business. ACAS provide a comprehensive guide on how to write a social networking policy.

Ensure employees understand why you are implementing an IT Security Policy (to protect both them and your business). It’s better to call a short staff meeting to explain why the policy is being introduced and talk your staff through its key requirements and distribute the policy at the meeting, also if any employee doesn’t understand something it gives them the opportunity to ask questions. It’s also a good idea to leave a copy of the policy in a place that is accessible to all, such as the staff room – or on the Staff Sharepoint (or shared server folder) Whenever, a new member of staff joins they too should be issued with the policy as part of the induction process.


As with all your policies and procedures it’s a good idea to review these on an annual basis and make any changes as necessary. Also, make sure any changes are communicated to your staff and an explanation given if needed. It’s also a good idea to invite staff feedback if any problems are encountered while working with the policy.

For further considerations to keep your business safe visit our IT Security section

You may also like our guide on creating safe and secure passwords you can remember

Simon Tonks

Owner and MD of Synium who loves his job, his life and the wondrous outdoors - especially when on a bike of any kind (but preferably on a mountain bike going downhill fast).Please get in touch if there is anything IT related I can help you with (or if you want to talk bikes :-)