Simple policies your company can introduce today to stay protected tomorrow!

Cyber Security and Data Protection can be overwhelming. There is an enormous amount of advice on the Internet, but it is quite difficult to know how to get to started.

At CyberSmart believe that Cyber Security should be accessible and easy for everyone. Therefore we have compiled a series of useful policies and procedures to help you find your way through the cyber compliance jungle.

We know policies are not exciting and not many people like to read or write them, but they are crucial for building a strong information security management system (ISMS). At CyberSmart we see them as guidelines to know what we can, should or shouldn’t do.

A few key points before we look at the Information Security Policy:
1. Policies don’t have to be long or too wordy;
2. You don’t need to have 100s of policies, some can be combined, and others omitted
3. Policies should say what you do, and then you should do what you say – in other words, policies should reflect the state of the ISMS
4. Policies should be as unique as your business. Don’t just download a template and change the name. Think about every paragraph and how it can be applied to your business.
5. Policies should reflect your company culture and someone should have clear ownership.

Information Security Policy:

Purpose: To lay the foundation for the information security management system (ISMS); It should cover people, process and technology at a high level. Sometimes it can be seen as a collection or summary of all the other policies a company may have rolled out.

General: The information security policy might look something like this. Its purpose is to define the management, personnel and technology structure of the ISMS.

A crucial part of this policy is answer questions around responsibility. “Who is the single point of contact responsible for information security” Is it the CEO or the IT manager or do you need to appoint someone? Also, it is important to define the scope of the policy, i.e. the policy could be applicable for the entire HQ in London or maybe just a few departments at another office.

A. Purpose & Policy Aims

B. Scope

C.Information Security Responsibilities

D. Legislation

E. Policy Framework

  • Personnel Security
  • Asset Management
  • Access Management
  • Cyber Essentials


Once you have created your first draft – or downloaded our free version here (for companies who are already Cyber Essentials certified), remember that the policy is never complete. It should be reviewed on a regular basis and updated to reflect any changes in the IT system or the business.

If you have any questions around policies or Cyber Security in general or just want to have a chat, drop us a line at

Protecting your data and organisation is hard work — let us help you make it easier.