How to Create IT Policies for Your Organisation

Why IT Policies Matter for Small Teams

"We do not need written policies — we are only 20 people." This is the most common mistake small business IT leaders make. Without written policies, every decision is made in the moment, inconsistently. Different IT team members enforce different rules. Employees do not know what is expected of them. When something goes wrong, there is no policy to point to as the standard that was violated. Written policies create consistency, accountability, and a baseline for compliance certifications.

Which Policies Every SME Needs

Start with these five essential policies: Acceptable Use Policy — what employees can and cannot do with company IT resources (internet, email, devices). Password and Account Policy — password requirements, MFA requirements, account lockout rules, shared account prohibition. Data Classification and Handling Policy — how data is classified (public, internal, confidential, restricted) and how each classification must be handled. Incident Response Policy — what constitutes a security incident, how to report it, who responds, and what the response process is. Asset Management Policy — how assets are procured, assigned, tracked, maintained, and disposed of.

Policy Writing Template

Every policy should have: Purpose — one paragraph explaining why this policy exists and what problem it solves. Scope — who this policy applies to (all employees, contractors, specific departments). Policy Statement — the actual rules, written in clear, actionable language. Use "must" and "must not" rather than "should" and "may." Roles and Responsibilities — who is responsible for implementing, enforcing, and updating this policy. Enforcement — what happens if the policy is violated (disciplinary action up to termination for serious violations). Review Schedule — how often this policy will be reviewed and updated.

Making Policies That Get Followed

Keep policies concise — one policy per topic, 1-2 pages maximum. Use plain language, not legalese. Employees should understand what is required without a law degree. Involve stakeholders in policy creation — the finance team should have input on procurement policy, HR on acceptable use policy. Communicate new policies with a summary email and a 15-minute Q&A session. Require annual acknowledgment — every employee signs or clicks that they have read and understood each policy. Store all policies in a central, accessible location (knowledge base, intranet, shared drive).