This is the policy every other one refers back to. Keep it short, owned, and reviewed annually. The version below is a working starter — edit the bracketed placeholders, drop in your specifics, and circulate.
Purpose
This policy sets out how [Company Name] keeps its information and systems secure. The aim is to protect customer trust, comply with the law, support business continuity, and reduce the cost of getting it wrong.
Scope
It applies to every employee, contractor, intern, and authorised third party who handles [Company Name] information — on any device, in any location.
Principles
- Information is a business asset and is protected accordingly.
- Access is granted on a need-to-know basis only.
- Risks are identified, assessed, and managed proactively.
- Incidents are reported quickly and learned from.
- Compliance with UK GDPR, the Data Protection Act 2018, and customer contracts is mandatory.
Roles and responsibilities
- The Board owns information risk and reviews it at least annually.
- [Named Director] is the senior responsible owner.
- [Named Manager] runs day-to-day implementation and reporting.
- Every employee is responsible for following this policy and reporting concerns promptly.
Linked policies
Breach of policy
Suspected breaches must be reported to [Named Manager] within 24 hours. Confirmed breaches may result in disciplinary action up to and including dismissal, and may be reported to the ICO, the police, or relevant regulators.
Review
This policy is reviewed at least annually, after any significant incident, or following a material change in the business or its technology.
Last reviewed: [date] · Approved by: [name, role]
Tips for adoption
- Keep it to two sides of A4. Long policies don't get read.
- Get a director to sign and date it visibly.
- Reference this from the joiner pack — everyone reads it on day 1.