How to Write a Cyber Security Policy for Your Business

So you've decided your business needs a cyber security policy — great decision. Now comes the part that stops most business owners in their tracks: actually writing the thing. The good news is that a practical cyber security policy for a small business doesn't need to be a 30-page legal document. In fact, something clear, readable, and actually used by your team is far more valuable than an impressive-looking document that collects dust in a drawer.

Step 1: Understand What You're Protecting

Before you write a single word of policy, spend 30 minutes listing the types of information and systems your business relies on. This is called a data and asset inventory, and it's the foundation everything else is built on.

Ask yourself:

• What customer data do we hold? (Names, emails, addresses, payment details, health information?)
• What business data would hurt us most if it were lost or stolen? (Financial records, contracts, intellectual property?)
• What software and services do we depend on? (Accounting software, CRM, email, cloud storage?)
• What devices do we use? (Laptops, desktops, mobiles, tablets, point-of-sale systems?)

This inventory doesn't need to be exhaustive — a simple spreadsheet or even a handwritten list is fine. The purpose is to make sure your policy covers what actually matters to your business.

Step 2: Assign Responsibility

Every policy needs an owner. In a small business, that's often the owner or manager themselves, but it could also be a trusted senior employee. Your policy should clearly state who is responsible for:

• Maintaining and updating the policy
• Responding to security incidents
• Making sure staff are trained and aware

If you use an external IT provider or managed service provider (MSP), note their role too — but make sure internal responsibility is clear. Don't outsource accountability entirely.

Step 3: Write Your Core Policy Sections

A practical small business cyber security policy typically covers the following sections. You don't need all of them on day one — start with the most relevant and build over time.

Password and Account Security

This is the section most businesses need most urgently. Cover:

• Minimum password length and complexity (the ACSC recommends passphrases of four or more random words)
• Whether passwords can be shared (they shouldn't be)
• The requirement to use multi-factor authentication (MFA) on all important accounts — especially email, banking, and accounting software
• What to do if a password is compromised

Device and Software Use

Cover both business-owned and personal devices used for work:

• Are staff allowed to use personal devices for work? If so, under what conditions?
• What software is approved for use? How do staff request new software?
• Are devices encrypted? (See our article on encryption for small businesses)
• What happens to devices when staff leave the business?

Data Handling

Define how sensitive information should be treated:

• What counts as "sensitive" data in your business?
• Where can sensitive data be stored? (Only on approved, encrypted systems)
• Can sensitive data be emailed? If so, how? (Encrypted, or via a secure file-sharing service)
• How long do you keep different types of data, and how do you securely delete it?

Access Control

The principle of least privilege — giving people access only to what they need — is one of the most effective cyber security controls available. Your policy should state:

• Staff only have access to systems and data they need for their role
• When a staff member leaves, their access is removed immediately
• System administrator access is reserved for those who genuinely need it

Incident Response

What do you do when something goes wrong? Your policy should include a simple incident response procedure:

1. Identify: How do staff recognise and report a potential incident?
2. Contain: What immediate steps should be taken? (Disconnect affected device from the network, change passwords)
3. Report: Who internally needs to be told? When do you need to report to the OAIC under the Notifiable Data Breaches scheme?
4. Recover: How do you restore normal operations?
5. Review: What can you learn from what happened?

The ACSC operates the Australian Cyber Security Hotline at 1300 CYBER1 (1300 292 371). Include this number in your incident response section.

Remote Work and Cloud Services

If any of your team works remotely, or if you use cloud-based tools (which almost all businesses do), address:

• The requirement to use a VPN or secure connection when accessing business systems from public Wi-Fi
• Approved cloud storage and collaboration tools
• Screen locking and physical security when working in public spaces

Step 4: Keep the Language Plain

Write your policy in the same language you'd use to explain something to a new employee. Avoid technical jargon. If a term like "multi-factor authentication" comes up, explain it briefly in brackets: "multi-factor authentication (MFA — a second verification step beyond your password, like a code sent to your phone)."

A policy your team can understand is a policy your team can follow.

Step 5: Get Staff Input and Sign-Off

Before finalising your policy, share a draft with any staff members who will be expected to follow it. Their practical input often reveals gaps — "What about when we need to share files with clients?" or "What about the iPad we use at events?" Incorporate their feedback and make sure everyone reads and signs off on the final version. Keep a record of those sign-offs.

Step 6: Review Regularly

A cyber security policy isn't a set-and-forget document. Set a calendar reminder to review it at least annually, and also review it whenever:

• You take on new staff or lose a staff member
• You adopt a major new system or tool
• You experience a security incident
• There are changes to relevant laws (like updates to the Privacy Act or new ACSC guidance)

Free Resources to Help You

You don't need to start from a blank page. The ACSC provides free small business resources at cyber.gov.au, including templates and checklists. The Australian Small Business and Family Enterprise Ombudsman (ASBFEO) also offers guidance on cyber security obligations for small businesses.

Key Takeaways

• Start by inventorying what data and systems your business relies on — this shapes everything else.
• Assign clear internal responsibility; don't outsource accountability to your IT provider.
• Core sections to cover: passwords and MFA, device use, data handling, access control, and incident response.
• Write in plain language your team will actually understand and follow.
• Get staff input, require sign-off, and keep a record.
• Review annually and after major changes to your business or the law.
• Use free ACSC templates at cyber.gov.au to avoid starting from scratch.

Want to know which areas of your business need a policy most urgently? The free assessment at flagged.com.au identifies your specific risk gaps and gives you a prioritised action list — making it much easier to know where to focus your policy-writing efforts first.