A couple of months ago we shared our approach to “IT minimum practices in 60 seconds” (please check it out if you haven’t already). The checklist recommends implementing policies as early as possible and we’re pleased to launch our 2025 IT Policies Template to help you do just that.
By using our IT Policies Template, you’ll specifically be able to:
-
- Provide staff with clear guidelines for IT usage, reducing risks and issues.
- Enhance your security posture, boosting compliance with GDPR and Cyber Essentials.
- Focus on what matters most to you!
We believe clear policies can also improve operational efficiency and reduce downtime, as well as enabling your IT infrastructure to scale more simply, helping you with growth and agility in ever more competitive markets.
Our template contains 27 essential IT policies covering critical areas of IT management, from data protection and device security, to disaster recovery and use of AI, and includes supporting documents such as Starter/Leaver forms, Risks and Issues Register and more.
Whilst our IT Policies Template is designed to be as easy to use as possible, you’ll need to remember these are not policies you can ’sign and forget.’ For proper implementation, we provide recommendations for policy customisation and implementation activities.
For example, having a Data Protection Policy is a great idea, but worthless without a record of what data you hold. Once you’ve completed your Data Audit, then you can sensibly implement important policies such as backup and disaster recovery. The recommended implementation activities are detailed on our website and whilst you can complete these yourself, we are always available to help if you need us.
The full Policies Template is only £295, but for those upgrading from our 2023 or 2024 templates, the cost is £145. Prices exclude VAT.
Our Summary document and the Implementation Tasks associated with the IT Policies Template are both below.
If you prefer to speak to one of us, please book a call or email us hello@grace.solutions.
Summary
Background
Our IT Policy template contains the minimum practices for managing your organisation’s technology to meet Cyber Essentials (CE) requirements and to underpin your GDPR without merely ticking boxes, and critically, these practices will also efficiently and effectively help you to remain compliant.
Below we have provided a summary for each policy, some business justification, notes on how the policy aligns with CE and/or GDPR, and an outline of the necessary implementation tasks. The Policy template pack contains the additional supporting documents required for recording policy compliance.
Please note:
-
- For GDPR compliance, additional tasks/policies will be required.
- Whilst certifications such as CE only assess your compliance at one point during the year, you are expected to stay compliant continually.
- The implementation works are not included in the template cost as these can be carried out by you. If you would prefer this work to be completed by us, we would be happy to provide a formal quote.
- Although you can achieve CE/GDPR by doing less in some areas, based on a century of IT experience, we would recommend you adopt these as your minimum practice.
Summary of IT Policies:
Password Policy – Password management is the responsibility of every member of staff. Unauthorised access to systems using an unprotected password could cause a great deal of reputational or financial damage to the organisation. This policy is required for Cyber Essentials Access Control.
Data Location and Access Policy – It is important for every user to ensure that they only save information where they are supposed to, otherwise that data is at risk of being accessed by people outside the organisation or without the proper credentials. The organisation needs to mandate, and wherever possible, control, where people save data. This policy underpins your GDPR compliance.
Privacy Policy – Under GDPR legislation, people need to know what you are doing with their data and why you have asked for it. It is up to you to ask only for the data you legitimately require and the justification for needing the data must be publicly documented. The organisation also has a legal responsibility to safeguard the data, as legally, the data remains the property of the people who provided it to the organisation. This policy underpins your GDPR compliance.
Data Retention Policy – You must comply with GDPR and have a responsibility to ensure you understand what data you hold, where it is stored and how long it needs to be kept for. If data is lost due to an incident, the less that is lost and the more its content is understood, the more it will mitigate the penalties. This policy underpins your GDPR compliance.
AI Usage Policy – Artificial Intelligence (AI) is becoming more useful for organisations, but it can come with significant hidden risks. AI uses any data you give it to train itself and it stores that data too. There are mitigations and subscriptions that can reduce the threat, but the danger needs to be understood by everyone in the organisation, and the knowledge imparted as to what they should and should not do. This policy underpins your GDPR compliance.
Data Backup Policy – It is the company’s legal responsibility to protect any data that pertains to staff or clients. Companies do not typically survive the loss of their data. For both reasons, data backups are critical. For this, all data locations need to be identified and regularly reviewed in line with the policy to ensure the correct levels of backup. Backups should be automated without the requirement for manual intervention. This policy underpins your GDPR compliance.
Disaster Recovery and Business Continuity Planning Policy – It is essential to match the backup function to your specific needs. These policies help to review and understand the organisation’s need for each of the data services. This policy underpins your GDPR compliance.
Encryption Policy – Encryption can prevent unauthorised access to data on stolen or mislaid devices. Even if someone removes the disk from a stolen device, any data saved on it cannot be accessed on another computer without the encryption key. This policy underpins your GDPR compliance.
Patching and Updates Policy – Patches are released to deal with discovered vulnerabilities that could allow someone to take control of your device, login to your systems, or impersonate you. This policy is required for Cyber Essentials Patching and Updates.
Risks and Issues Policy –This log is for you to record where you have assessed and accepted any risks arising from equipment that does not comply with the legislation. It includes any plans to replace systems with compliant ones and records any mitigations, so that you fully understand what mitigations and risks might be associated with your IT. This is a general policy.
Security Awareness Policy – All users should be given ongoing Security Awareness Training for constant awareness of the latest breech tactics and changing security threats that threaten your organisation. This is a general policy.
Certification Policy – All systems used to store the organisation’s data that are not under the organisation’s direct control must also fully comply with the UK GDPR policies, and their compliance must be checked. This policy underpins your GDPR compliance.
Secure Configuration and System Commissioning/Decommissioning Policy – It is extremely important for every user to fully understand this section of the policy, as there is potential for lethal viruses, hacking and critical data loss if the policy is not followed when connecting with unmanaged devices or using unmanaged devices to access organisation data. This policy is required for Cyber Essentials Secure Configuration.
Software Policy – Hackers can easily build in back doors to software and then access the organisation’s system. Users need to understand the risks when installing software or using administrative accounts for day-to-day access. This policy is required for Cyber Essentials Secure Settings.
Bring Your Own Device (BYOD) Policy – Organisation managed devices are actively configured for security, protected from attack and monitored. Any use of unmanaged personal devices significantly puts the organisation’s data at risk. This policy is required for Cyber Essentials Secure Settings.
Working Away from the Office Policy – Wherever they are located when working, users should only ever use the organisation’s equipment, or they will risk putting the organisation’s data and systems in danger. This policy is required for Cyber Essentials Secure Settings.
Commissioning System External Access Policy – Misconfigured or unnecessary firewall rules allowing inbound access could cause serious security issues. This could potentially lead to people accessing systems and data without permission or encrypting your data. This policy is required for Cyber Essentials Secure Settings.
Malware Protection Policy – Grace Solutions recommends a managed solution over an individually installed one, as anti-malware is too important a task for end users to police themselves. It is vital that the anti-malware is fully functional and up to date. This policy is required for Cyber Essentials Malware.
IT Equipment Policy – Equipment must be cared for and maintained to ensure it remains fully operational and secure and to allow necessary replacements to be scheduled and budgeted. This is a general policy.
Firewall Protection Policy – If a rogue device enters a network, it can find misconfigured devices and wreak havoc, including stealing or encrypting data. However, this is preventable with the installation of a correctly configured firewall. This policy is required for Cyber Essentials Firewall.
Monitoring and Audit Policy – Keeping accurate records of what devices, systems and applications are in your environment allows you to plan, budget and check they are correctly configured and to restrict access where needed. This policy is required for Cyber Essentials and contributes to your GDPR responsibilities.
User Creation, Change and Deletion Policy – You must know what accounts exist and what each account has access to. This policy is required for Cyber Essentials and contributes to your GDPR responsibilities.
Remote Access to Systems from Third Parties Policy – The security policy is completely negated if the wrong person is given access to your systems. There may be occasions when other organisations will need access to your systems, but these should always be fully appraised and understood before access is granted. This policy is required for Cyber Essentials and contributes to your GDPR responsibilities.
Change Control Procedures Policy – It is important that you understand what changes are being made to the environment and systems, so that these can be implemented with the least impact and cost to the organisation. This is a general policy.
Email Use Policy – It is important that all employees use email appropriately to minimise risk to the organisation. This policy is required for Cyber Essentials and contributes to your GDPR responsibilities.
Internet Use Policy – It is important that all employees use the Internet appropriately to minimise risk to the organisation. This policy is required for Cyber Essentials and contributes to your GDPR responsibilities.
Incident Response Procedure Policy – Reacting fast and effectively to an incident will makes a huge impact on the amount of damage caused to the organisation. This policy contributes to your GDPR responsibilities.
Implementation Tasks
Implementation Tasks
The following table contains a summary of information and tasks related to each of the policies – in particular:
-
- Whether or not the policy needs to be customised to the specific client’s needs.
- Whether the policy contributes towards compliance with either GDPR or Cyber Essentials.
- What essential tasks need to be completed for the successful implementation of the policy.
There are three implementation tasks common to all policies, so not explicitly listed in the table:
-
- Adopt and configure – no policy is useful until it’s been configured for the specific client where relevant and formally adopted.
- Create, monitor and report on technical controls – it’s minimally effective to introduce a policy that is not monitored, so where possible, technical controls should be created and monitored to ensure there is ongoing policy compliance.
- Train staff – policies that are adopted without training result in poor effectiveness – for all policies, relevant staff should receive appropriate instruction on how to use and comply with the policy.
| Policy Title | Customise | CE | GDPR | Implementation Tasks |
| Password Policy | Yes | Yes | No | · Audit and update all passwords to new standards. |
| · Adopt and deploy a password management system. | ||||
| Data Location and Access Policy | Yes | No | Yes | · Audit IT systems to identify active data locations. |
| · Add locations to Data Locations Spreadsheet and evaluate each for compliance. | ||||
| · Identify non-compliant locations. Move if a better system can be used or add to the Risks and Issues Log. | ||||
| · Move data from unallowed/unlisted locations, e.g. local hard drives. | ||||
| · Document the type of data and the justification for storing it, for each location. | ||||
| Privacy Policy | Yes | No | Yes | · Publish a Privacy Policy. Create and maintain a Data Protection Statement. |
| Data Retention Policy | Yes | No | Yes | · Determine how long data will be held for and who will be responsible for deletion. |
| AI Usage Policy | Yes | No | Yes | · Determine which service/s can be used. |
| Data Backup Policy | Yes | No | Yes | · Perform a risk analysis for each location including RTO/RPO and impact analysis. |
| · Create a remediation plan to ensure backups are in place where required and are run within the agreed protocols. | ||||
| · Note mitigations on the Risks and Issues Log. | ||||
| Disaster Recovery and Business Continuity Planning Policy | Yes | No | Yes | · Create a recovery plan for each set of data. Plans should detail how and when data should be restored in order to meet business expectations. |
| Encryption Policy | Yes | No | Yes | · Create a remediation plan for each device type on the Asset Register, to ensure local storage is encrypted. |
| · Ensure a set of Intune policies are created. | ||||
| · Implement and configure Mobile Device Management. | ||||
| Patching and Updates Policy | Yes | Yes | No | · Audit all devices and ensure they are contained in the Audit Log. |
| · Implement a plan to ensure outstanding updates and patches are installed on all audited devices. | ||||
| · Audit devices to ensure updates are automated and managed, or added to the manual patch list. | ||||
| · Ensure schedules are appropriate for the organisation. | ||||
| Risks and Issues Policy | Yes | No | No | · Implement a Risks and Issues Log. |
| · Assign a named nominee to ensure directors complete regular reviews of the log. | ||||
| Security Awareness Policy | Yes | No | No | · Audit user list and training records. |
| · Implement an approved Security Awareness Training system. | ||||
| Certification Policy | Yes | No | Yes | · Audit storage locations to ensure compliance. |
| Secure Configuration and System Commissioning & Decommissioning Policy | Yes | Yes | No | · Create a Device Log and list and audit all devices. |
| · Configure devices to use a single, agreed controlled source for configuration and authentication. | ||||
| · Record any devices that cannot be configured in the Risks and Issues Log. | ||||
| · Audit all systems for MFA and SSO – remediate systems to use these or add them to the Risks and Issues Log. | ||||
| · Choose and deploy a Device Management system and configure this with the agreed policies. | ||||
| · Choose and deploy a Remote Monitoring and Management (RMM) solution and configure this with the agreed policies. | ||||
| · Choose and deploy an endpoint management solution and configure the agreed policies. | ||||
| · Audit and remove any administrative accounts that were previously created, create new break glass administration accounts and demote any user administration accounts. | ||||
| · Add any non-compliant system to the Risks and Issues Log. | ||||
| Software Policy | Yes | Yes | No | · Audit all devices to create a database of installed software. |
| · Create and audit a list of required software, including licensing needs. | ||||
| · Remove any unauthorised software from systems. | ||||
| · Implement a solution to routinely update software. | ||||
| · Add any non-compliant software to the Risks and Issues Log. | ||||
| Bring Your Own Device (BYOD) Policy | Yes | Yes | No | · Audit all device usage. |
| · Compile a list of non-organisation owned devices that require access. | ||||
| · Create and execute a remediation plan to adopt/commission these devices. | ||||
| Working Away from the Office Policy | Yes | Yes | No | · Common essential tasks only. |
| Commissioning System External Access Policy | Yes | Yes | Yes/No | · Audit firewall rules on all devices. |
| · Document all required rules in the Externally Available Systems Log. | ||||
| · Create and execute a remediation plan to remove all unnecessary rules. | ||||
| Malware Protection Policy | Yes | Yes | No | · Implement an appropriate malware solution. |
| · Audit all devices to ensure there is an approved Malware solution in place. | ||||
| · Create and execute a remediation plan to install malware on devices without it. | ||||
| · Ensure the MDM will block access to any device capable of accessing non-standard application stores. | ||||
| IT Equipment Policy | Yes | No | No | · Common essential tasks only. |
| Firewall Protection Policy | Yes | Yes | No | · Using the Device Log, Device Management and the RMM, configure policies to ensure all firewalls are always on. |
| · Manually configure or fix issues on any devices without active firewalls. | ||||
| Monitoring and Audit Policy | Yes | Yes | Yes | · Adopt and deploy an RMM. |
| · Audit devices to ensure each is contained in the RMM, monitored externally, or included in the Risks and Issues Log. | ||||
| User Creation, Change and Deletion Policy | Yes | Yes | Yes | · Audit all user accounts, permissions and systems access. |
| · Remove unnecessary accounts, access and permissions. | ||||
| Remote Access to Systems from Third Parties Policy | Yes | Yes | No | · Common essential tasks only. |
| Change Control Procedures Policy | Yes | No | No | · Audit systems that need to be change controlled. |
| · Implement a change control procedure. | ||||
| Email Use Policy | Yes | Yes | Yes | · Common essential tasks only. |
| Internet Use Policy | Yes/No | Yes/No | Yes/No | · Common essential tasks only. |
| Incident Response Procedure Policy | Yes/No | Yes/No | Yes/No | · Common essential tasks only. |