Search Our Site

We have 3,752,060 registered online learners.
553 new learners so far today.

What should my organisation's IT policy include?

schedule 2nd February 2018 by Alex Bateman in Virtual College Last updated on 24th April 2018

business people sitting around desk

There are few issues facing modern businesses with as much hot-button significance as cyber security. As digital technologies become more and more ingrained into all aspects of corporate life, the pressure on companies to safeguard their sensitive data with a robust IT policy only grows more pronounced.

The importance of getting it right on cyber security was underlined by a UK government report from 2017, which indicated that one in ten of Britain's biggest companies operate without a response plan for a cyber incident, while 68 per cent of FTSE 350 boards have not received any training on how to deal with such an occurrence. This isn't a great look for organisations of any size - and, more to the point, it puts them at risk of falling prey to cyber criminals, and suffering significant financial and reputational damage.

With new laws such as the EU's General Data Protection Regulation (GDPR) now coming into force, it's more vital than ever before for business leaders to pay proper attention to devising a comprehensive IT policy, as this is the only way to ensure that everyone within the organisation knows their responsibilities when it comes to data protection and security.

How to develop a corporate IT policy

Drawing up a comprehensive IT policy for your company means putting a proper structure in place, leaving nobody in any doubt as to what aspects each section of the document covers, and which members of the organisation will be responsible for executing and enforcing it.

This means designating overall accountability for IT and cyber security issues to a specific department or individual - a key consideration, given that the new GDPR rules will stipulate that all companies over a certain size will have to employ dedicated data protection officers.

The document itself, meanwhile, should be clear about the scope of what each policy includes and how it should be deployed, with specific, action-oriented descriptions and step-by-step procedures placed alongside at-a-glance overviews for quick scanning. You should also remember to ensure your IT policy is updated regularly in line with evolving regulatory standards, and that these revisions are easily traceable.

Suggested principles

Naturally, the full scope and remit of your organisation's IT policies are likely to depend on the type of business you run, and the nature of the data you're responsible for processing. However, there are a few policy principles that are likely to be key components of any well-structured IT plan:

  • Acceptable use - detailing the circumstances under which corporate IT resources can be permissibly used
  • Confidential data - defining which information the company deems to be sensitive, and explaining how it should be handled
  • Network access - explaining to staff and guests what procedures exist around device passwords, firewalls, networked hardware and wireless network usage, as well as covering what needs to be done to ensure security when connecting mobile devices
  • Emails - outlining usage guidelines for the company email system to reduce the risk of any email-related security incidents
  • Passwords - making sure that all members of staff are adhering to consistent standards when it comes to selecting robust, confidential passwords that cannot be easily guessed
  • Physical security - defining a policy for how physical devices are handled and transported, guarding against common risks
  • Incident response - providing a step-by-step guide for everyone within the organisation to follow in the event that a breach does occur, with a focus on alerting the relevant parties, minimising the impact on network and data integrity, and recovering as quickly as possible

The need for rigorous training

Putting together a robust IT policy represents a big step towards a more secure and forward-thinking future for your organisation, but you need to remember that these policies won't enact themselves - that duty falls on the company's staff, all of whom need to be well-drilled on their new responsibilities if they're going to be able to live up to them.

As such, any new IT policy should be accompanied by rigorous training initiatives to make sure everyone within the organisation - from the highest-ranking members, to the frontline staff - know and understand these principles from back to front. After all, it only takes a single example of negligence to create a potentially critical weakness in your company's cyber defences.

By committing the necessary resources to learning and development, you can avoid this eventuality, and ensure that your organisation is seen as a secure and trusted steward of confidential data for years to come.

Related resources

Alex Bateman - Virtual College

Author: Alex Bateman

Alex is interested in the strategic application of learning and development. In particular how organisations can promote engagement with ongoing learning campaigns. He spends his spare time renovating his Victorian house. Ask him about his floors, I dare you.

ISO 9001:2015
Crown Commercial Service Supplier
LPI Accredited Learning Technologies Provider


+44 (0)1943 605 976

Virtual College

Marsel House


West Yorkshire

LS29 8DD

Awards for footer
Gold and silver award winners at the Learning Technologies Awards 2017 - including gold for excellence in the design of learning content.


We are in the process of moving to one Virtual College website. If you want to go back to a course, or start a course, bought from our old website then you may need to login to our original learning management system. Otherwise, please proceed to our new learning management system to return to your training.


You are already logged in. Click the button below to be taken to your LMS dashboard. Alternatively, click logout to leave the system.