The top 20 IT policies every organisation needs

Acceptable use of technology policies

The acceptable use of technology is a common policy that spells out the do’s – but mainly the don’ts – about how employees use company-owned tech, describing the practices that must be adhered to and the procedures to follow. It will cover topics such as professional conduct, data privacy and more. Most employees will have to sign the acceptable use policy as part of their onboarding process but there may be some additional acceptable use policies which cover access to specific systems.

Cybersecurity policy

Cybersecurity is a critical area where it is essential for employees to be aware of the potential risks and spot a potential scam. A cybersecurity policy or policies might take in areas such as training and awareness, how to report an issue such as a phishing scam, procedures for what to do if there is an attack and so on. There is some crossover between a cybersecurity policy and some other policies in this list, such as the disaster recovery and data privacy policies.

Disaster recovery or business continuity policy

The disaster recovery or business continuity policy encompasses more than IT, but we’ve included it here because it encompasses a strong IT element. This will detail the plan for access to systems when a physical work location is out of action, or potentially what to do if systems are compromised because there is a cyberattack or data breach.

Bring Your Own Device (BYOD) policy

Many organisations have parts of the workforce that do not have a corporate issued mobile device, usually on the frontline. Instead, they may allow limited use of personal devices to access some information. A BYOD policy outlines guidance on the use of personal owned devices at work.

Mobile Device Management policy

The security of mobile devices is paramount, so IT functions will have a Mobile Device Management (MDM) policy which covers the protection of corporate-owned devices in terms of how they are configured and managed, access to certain apps, and what happens if a mobile gets lost. Usually, an MDM policy will reference an MDM solution, which might be able to wipe data and apps remotely, for example. An MDM policy may also cover aspects of the BYOD policy.

Access control policies

Policies which stipulate the approaches to accessing different systems are important to help support security. For example, many IT departments follow a “zero trust” approach which means access to systems or applications is only provided to people who strictly need it. An access control policy will outline approaches but then the processes for requesting and gaining access.

Password policies

Poor password management and practices can lead to data breaches and provide hackers with opportunities to steal data. A password policy will not only cover important practices for employees but also the settings in different applications such as multi-factor authentication, mandatory password formats and forcing password renewal after a certain time.

Data privacy policy

A robust approach to data privacy and compliance is essential in order to protect the data of employees, as well as that of customers. Most organisations will have a data privacy policy that is available for external use that stipulates approaches to data privacy and data management. Sometimes a legal team will craft this policy, although there will be a need for IT input. There will also be data privacy policies for internal use (which may also be covered in information security and acceptable use policies) that cover data usage and handling and are very specific in terms of processes to follow.

Information security policy

An information security policy will detail how information is handled, managed, stored, and transmitted, and helps to protect information assets. It ensures people without authorised access cannot access sensitive and confidential information. For example, an information security policy might establish different levels of security for information from “public” to “confidential” which then dictates areas such as access, where the information resides, management processes and so on.

Data retention policy

How long does an organisation need to retain its data? And how is older data stored and accessed? A range of legal and regulatory considerations, as well as any business requirements to access data and other practical considerations, will define the data retention policy for the organisation.

Data back-up policy

This policy provides information on how often data is backed up in order to minimise damage and disruption in the case of an outage or incident, as well as ticking boxes relating to compliance.

Remote access and related remote work policies

Most organisations operate hybrid and remote working. Remote access policies provide the detail of how to access key systems from outside the firewall and cover areas such as VPN use. There will be a range of other remote work policies too, some of which will relate to technology use and security.

Equipment and device ordering policy

How do I order a new mouse? What mobile devices are on offer? Can I upgrade my laptop? These are all common questions employees ask. Detailing the policies and the procedures relating to equipment and device ordering and ensuring these are easily found on a self-serve basis helps streamline equipment ordering.

What tool to use when policy

The “what tool to use when” policy guides employees to which application to use for which scenario. This is usually more of a guideline than a policy and not every business actually has one in place, but they should do. The digital workplace landscape can be overwhelming for users with overlapping functionality. The “what tool to use when” policy helps drive the best use of applications and underpins a good digital employee experience.

Standards for new vendors and suppliers

It is very easy for different teams and lines of business to procure their own cloud-based applications. But any new application or vendor supplying it must meet particular standards to ensure security, compliance, compatibility with the rest of the technical stack, efficiency, support, and long-term viability. Policies that stipulate the technical standards for new vendors as well as the process of how these will be reviewed are an essential component of effective procurement and help to preserve technical standards and a good digital employee experience.  

IT processes for onboarding new employees

When a new employee starts in an organisation there are a number of processes that IT teams need to carry out including setting them up as a user, providing them with the right devices, setting them up with access to systems, putting them in the right Microsoft 365 groups and so on. The IT-related process for onboarding new employees is an important procedure which guides what the IT team, the line manager of the new hire, HR, and the new starter themselves have to do for a successful onboarding process.

Network security policy

Security is always a top priority for IT teams. The network security policy will gather a range of policies and procedures to ensure that the network infrastructure remains highly secure. In practice this will incorporate some of the other specific policies in this list such as the access control policy.

AI use and governance policy

Most organisations are actively using AI to transform their productivity, but this is still an area which is fast evolving, and which also comes with potential risks. Policies which cover AI use and governance provide the essential guardrails to ensure AI is used in the best possible way, giving employees confidence and reducing the chance of issues and incidents occurring.

Application-specific policies

There can also be a range of platform or application-specific policies around use and access to follow. For example, this could relate to specific parts of the Microsoft 365 suite that cannot be used, or whether external users can be invited to a Teams space, or how Salesforce is rolled out.

Environmental policies

At the moment not every IT function has policies about limiting the carbon footprint of their technology operation, but as the climate crisis continues to grow, we think this will become more important. It can stipulate the aims to reduce emissions, the preferred credentials of suppliers and also any reporting.