Last updated: 19.02.18

What to Include in an IT Policy

Gone are the days when IT policies were reserved only for large organisations with entire IT departments and dozens, if not hundreds of employees. The prevalence of information use across all aspects of all businesses, from small to large, means that there are few SMEs that truly have no need for an IT policy, even if it’s just one that covers the basics. The aim of course is that an IT policy will help ensure that the business is using all of its IT assets correctly, including complying with legal requirements, guarding itself against risk, and getting the best use out of them.

If you’re getting into the position where you think your business needs a documented policy, then you’re probably wondering what you need to include. You may well have a vague idea of some of the elements that need to go in there, but this article should give you a good overview of the essential components.

It’s worth noting that an IT policy is usually a grouping of several different policies that all come under the umbrella of IT. It’s also much easier to format the document this way, so that individual elements can easily be found.

Introducing the Policy

You will need to begin the IT policy by setting out an introduction that covers a few areas that will contextualise the whole thing. You’ll want to start with an overview that summarises the key points that can be found in the document, and then think about the main question words. When is this document applicable? Who is it applicable to? What does it cover? How does it cover this?

Acceptable Use

One of the main points of any IT policy will be looking at what constitutes acceptable use within your business. This means outlining exactly how employees are permitted to use your IT assets. When can they use them? Who can use them? What can they use them for? Usually this section will briefly explain things like whether it’s acceptable to use company IT assets for personal activity, such as sending personal emails or using work laptops to browse the internet at home.

Email Policy

Emails are the main form of communication between employees, which means that they’re naturally going to need covering in the IT policy. There are a few important points that the policy really needs to cover. The first surrounds privacy and confidentiality. You need to make it clear in your policy what can and cannot be shared by email, and by who. You also need to give guidance on how email can be used safely to ensure that it’s not a security risk. Phishing scams for instance often target work emails, and your employees need to know how to deal with them. In more complex email policies, your IT staff will need to help in regards to the more technical aspects of email setup and maintenance.

Data Protection

This is a really big consideration, especially given the changes that GDPR has made to how data can be handled and used. It’s a major compliance issue with repercussions both in terms of the business’ security, and potential repercussions from the authorities. Your data protection policy needs to determine what data needs to be protected and how you’re going to do this in accordance with your responsibilities, such as providing plenty of security and backups.

Network Security

Your network is only as strong as its weakest link, and it’s one of the main ways in which cyber criminals will attempt to gain unauthorised access to systems and data. As a result, you need to ensure that your network has its own policy, which looks at how it’s set up and maintained, and who has access to it and how it can be used. Good cyber security for business places a very heavy focus on this.


Cyber security incidents are on the rise all over the world, so it’s little surprise that details about how to respond are now very much commonplace in an IT policy. You should explain what happens in such an event, and who should deal with it. In addition, there should be a policy for reporting this to the authorities, which may be a legal requirement.


Passwords are generally the first step to good cyber security, and while you might expect that everyone knows their responsibilities, these days, this isn’t always the case. Password policies are therefore essential, which dictate how secure passwords should be, where they should be used, and how often they should be changed.

Training and Support

Training and support should have its own policy section, which discusses how general employees of the business can receive support for any IT related issues that they are encountering. It should also detail who needs to be trained in various aspects of IT and when. Cyber security training in particular may be important. You can find out more about this on the dedicated Virtual College introduction to cyber security course page.

Physical Security

The final thing to think about is the physical security of your IT assets, which means keeping hardware such as laptops, computers, phones and hard drives physically safe, both from damage, and from getting into the wrong hands. This should be fairly straightforward and slot in with your overall safety and security policy for the premises.

Related resources