Free Risk Register
Contact Us Free Risk Register

How to write an information security policy for a small business

A practical guide to writing an information security policy for a small business — what to include, how long it should be, and a free template to get you started.

How to Write an Information Security Policy for a Small Business

 

If you've been told you need an information security policy but aren't sure where to start, you're not alone. It's one of the most commonly required documents in ISO 27001, Cyber Essentials, and supplier security questionnaires — and one of the most misunderstood.

The good news is that for a small business, an information security policy doesn't need to be a 50-page document. It needs to be clear, honest, and actually reflect how your organisation works.

What is an information security policy?

An information security policy is a document that sets out your organisation's approach to protecting its information assets. It describes what you're trying to protect, why it matters, who is responsible, and the principles that guide how you handle information security across the business.

It's not a technical document. It doesn't need to contain firewall rules or system configurations. It's a statement of intent and accountability — written for people across the business, not just the IT team.

Why do you need one?

There are three main reasons a small business needs an information security policy.

The first is certification. ISO 27001 requires a documented information security policy as a mandatory document. Without one you cannot certify. Cyber Essentials doesn't mandate a policy in the same way, but having one demonstrates a mature security posture that auditors and clients appreciate.

The second is client and procurement requirements. If you work with larger organisations, government bodies, or handle sensitive data on behalf of clients, you will almost certainly be asked to provide your information security policy as part of a supplier questionnaire or procurement process. Not having one is a red flag.

The third is internal clarity. A well-written policy removes ambiguity about what's expected of staff when it comes to handling data, using company systems, and responding to security incidents. It's the foundation everything else is built on.

What should an information security policy include?

A solid information security policy for a small business should cover the following areas:

Purpose and scope

Start by explaining what the policy is for and what it covers. Is it the whole organisation? Specific systems? All staff and contractors? Be specific about scope — a policy that claims to cover everything but was written with only the IT team in mind won't hold up under scrutiny.

Management commitment

This is often overlooked but it's one of the most important elements. The policy should be signed off by the most senior person in the business — the CEO, MD, or equivalent. ISO 27001 specifically requires evidence of leadership commitment to information security. A signature at the bottom of the policy is the simplest way to demonstrate this.

Information security objectives

What are you actually trying to achieve? Common objectives for small businesses include protecting customer data, maintaining the confidentiality of commercially sensitive information, ensuring systems are available when staff need them, and complying with relevant legislation like UK GDPR.

These don't need to be elaborate. Three to five clear objectives are enough.

Roles and responsibilities

Who is responsible for information security in your organisation? For a small business this might be the IT Manager, the Operations Director, or even the founder. Name the role and what they're responsible for. Also cover what's expected of all staff — training, reporting incidents, following acceptable use guidelines.

Key principles

This section sets out the high-level rules that govern how your organisation approaches information security. Common principles include:

  • Information will be classified and handled according to its sensitivity
  • Access to systems and data will be granted on a least privilege basis
  • All staff will receive information security awareness training
  • Security incidents will be reported and investigated promptly
  • Third party suppliers will be assessed for information security risks before engagement
  • The ISMS will be reviewed at least annually

Legal and regulatory compliance

Reference the key legislation and standards relevant to your business. For most UK small businesses this will include UK GDPR and the Data Protection Act 2018. If you're working toward ISO 27001 or Cyber Essentials, reference those too.

Review and maintenance

State how often the policy will be reviewed and who is responsible for keeping it up to date. Annual review is the minimum for ISO 27001 compliance. If something significant changes — a data breach, a major change to your systems, or a new regulatory requirement — the policy should be reviewed sooner.

How long should it be?

For a small business, two to four pages is about right. Long enough to cover the key areas properly, short enough that people will actually read it.

The most common mistake is writing a policy that's so long and generic that nobody in the business has ever read it beyond the person who wrote it. A shorter, more specific policy that staff actually understand is far more valuable than an impressive-looking document that sits in a folder and never gets used.

Common mistakes to avoid

Copying a template without customising it is the most frequent error. Auditors can spot a generic policy immediately — they will ask questions that expose whether the document reflects reality. Make sure your policy describes how your organisation actually operates.

Forgetting to get it signed off is the second most common mistake. The policy needs a named owner and a signature from senior leadership. Without that it carries no authority.

Finally, writing it once and never updating it undermines everything. An information security policy with a review date from three years ago signals to auditors and clients that your security programme isn't being actively maintained.

Getting started

The easiest way to start is with a structured template that gives you the framework to fill in rather than a blank page. Our free ISO 27001 documentation resources include a policy template built around the requirements of ISO 27001:2022 and the realities of small business operations — download it and adapt it to your organisation rather than starting from scratch.

If you find that maintaining your policies, tracking who has read and signed them, and keeping everything audit-ready is becoming the hard part, that's exactly what SnapGRC is built for. The platform lets you build your policy library, distribute policies to staff for acknowledgement, and maintain an audit trail — without the complexity or cost of enterprise tools.

Tags:
ISO27001

Related Articles

Knowledge Base Image
ISO 27001 surveillance audit — what to expect

Passed your ISO 27001 certification audit? Here's exactly what happens at your surveillance audit, …

Read More
Knowledge Base Image
ISO 27001 in 90 Days — Is It Actually Possible?

Can you really achieve ISO 27001 certification in 90 days? The honest answer — plus what actually d…

Read More
Knowledge Base Image
ISO 27001 Statement of Applicability (SoA): How to Create It Efficiently

Create your ISO 27001 Statement of Applicability (SoA) efficiently.

Read More

Copyright © 2025 SnapGRC