TL;DR: Every business needs written IT policies, but most businesses do not have them because writing them from scratch is time-consuming. This template bundle gives you all ten essential IT policies in a ready-to-customise format - just add your company name and review the placeholder text.
Why Your Business Needs Written IT Policies
Ask most business owners whether they have IT policies and you will get one of three responses: a blank stare, a vague reference to something in the employee handbook, or a confident “yes” followed by an inability to locate the documents.
Written IT policies matter for three reasons. First, they reduce legal liability by establishing that employees were informed of their obligations. Second, they are required by most cyber insurance policies - an insurer who discovers you have no documented policies may deny a claim. Third, they are required for compliance with frameworks including the ACSC Essential Eight and various industry-specific regulations.
The good news is that you do not need to write these from scratch. This template bundle gives you ten professionally drafted policies ready to customise for your organisation.
Policy 1: Acceptable Use Policy
The Acceptable Use Policy (AUP) is the foundational IT policy. It establishes the rules for how employees may use company technology, and it is the policy that underpins disciplinary action when those rules are violated.
What your AUP must cover:
- Permitted and prohibited uses of company devices, internet, email, and software
- Privacy expectations - employees should have no expectation of privacy on company systems
- Personal use - whether and to what extent personal use of company IT is permitted
- Consequences of violation - the disciplinary consequences of policy violations
- Monitoring - whether and how company systems are monitored
Common AUP mistakes to avoid:
The most common AUP mistake is being either too broad (“use technology responsibly”) or too specific (listing every prohibited website). The right level of specificity covers categories of prohibited behaviour without attempting to enumerate every possible violation.
Policy 2: Password and Authentication Policy
With credential-based attacks accounting for the majority of successful breaches, a clear, enforced password policy is essential.
Minimum requirements for a 2026 password policy:
- Minimum 14 characters (not 8 - modern attacks trivially crack 8-character passwords)
- No requirement for regular rotation (NIST now recommends against periodic rotation - it leads to predictable patterns like “Summer2026!”)
- Mandatory Multi-Factor Authentication on all business systems
- Prohibition on password reuse across work systems
- Requirement to use a password manager for complex unique passwords
- Immediate password reset requirement for any suspected compromise
A note on MFA: Your password policy should explicitly require MFA, specify which systems require it (all of them), and specify what counts as acceptable MFA (authenticator app or hardware key preferred; SMS as a minimum fallback).
Policy 3: Data Classification Policy
Not all data is equal. Customer financial records are not the same as the office Wi-Fi password. A data classification policy creates a shared language for how sensitive different types of information are and how each category must be handled.
A practical four-tier classification system:
Public - Information intended for public release (website content, press releases). No special handling required.
Internal - General business information not intended for external distribution (internal procedures, staff directories). Store on company systems; do not share externally without need.
Confidential - Sensitive business information (financial records, client data, contracts). Encrypt in transit and at rest; access on a need-to-know basis; do not store on personal devices.
Restricted - The most sensitive information (legal privileged documents, certain health records, board papers). Same as Confidential plus additional controls: no access from unmanaged devices, additional authentication required, specific approved storage locations only.
Policy 4: Bring Your Own Device (BYOD) Policy
If your employees use personal devices for work - even just checking work email on their personal phone - you need a BYOD policy. Without one, you have no basis for enforcing security requirements on those devices and no ability to remotely wipe company data when an employee leaves.
Core BYOD policy requirements:
- Which personal devices are permitted for work use
- Required security configuration (PIN/password, encryption, up-to-date OS)
- Required software (Microsoft Intune for MAM, antivirus)
- What company data may be accessed from personal devices
- Employee consent to remote wipe of company data (not the whole device) on termination
- What happens to company data when an employee leaves
The key BYOD distinction: Mobile Application Management (MAM) allows your IT provider to manage only the company apps and data on a personal device, without enrolling the whole device. This is the right approach for BYOD - it protects company data while respecting employee privacy on personal devices.
Policy 5: Remote Work and Work From Home Policy
With hybrid work now the norm for most professional services businesses, a remote work IT policy is no longer optional.
What your remote work policy must address:
- Approved networks: Company VPN required for access to sensitive systems; home Wi-Fi is acceptable only with the VPN connected; public Wi-Fi prohibited for work use
- Device requirements: Only company-managed devices (or BYOD-enrolled personal devices) for accessing company systems
- Physical security: Screen privacy when working in public; locking screens when stepping away; no shoulder surfing or visual eavesdropping
- Incident reporting: How to report a suspected security incident when working remotely
- Home network security: Recommended router configuration for home offices
For a complete remote worker security kit including this policy template, device checklist, and VPN guide, see the Remote Work Security Kit.
Policy 6: Incident Response Policy
When a cyber incident occurs, every minute of uncertainty costs money. A documented incident response policy ensures that when something goes wrong, your team knows exactly what to do, who to call, and in what order.
The five phases every incident response policy must cover:
- Identification: How do we know something has happened? Who receives alerts? What are the escalation triggers?
- Containment: Isolating affected systems before the incident spreads. Who has authority to disconnect systems?
- Eradication: Removing the threat. This is the technical remediation phase.
- Recovery: Restoring systems from clean backups and returning to normal operations.
- Post-incident review: What happened? What do we do differently next time?
Critical: keep your incident response contacts offline. An incident response plan stored only in cloud systems is useless when those systems are down. Print the key contacts and keep a physical copy in your office.
For a detailed step-by-step incident response guide, see the Cyber Breach Response Playbook.
Policy 7: Software Installation Policy
Unapproved software is one of the most common sources of malware infections in SMB environments. A software installation policy combined with application control technology closes this attack vector.
What the policy must address:
- Who is authorised to approve software for installation on company devices
- The process for requesting approval (submit to IT, reviewed within X business days)
- Prohibition on installation of unapproved software
- Prohibition on free/consumer software with bundled adware
- Handling of software trials and evaluation licences
- Licence compliance obligations
Technology note: Software policy works best when enforced technically. Application control via Microsoft Intune (part of Microsoft 365 Business Premium) can prevent the installation of unapproved applications without requiring employees to remember the policy.
Policy 8: Email and Communication Policy
Email is simultaneously the most critical business communication tool and the highest-risk attack surface. A clear email and communication policy sets expectations and reduces risk.
Essential email policy provisions:
- Company email is for business use; limited personal use is acceptable if it does not interfere with work
- Employees have no expectation of privacy in company email
- Prohibition on forwarding confidential information to personal email accounts
- Prohibition on unencrypted transmission of sensitive data (specific data categories)
- Obligations around suspicious email reporting
- Prohibition on clicking links or opening attachments from unverified sources
Include a BEC awareness clause: Given the prevalence of Business Email Compromise in Australia, explicitly require phone verification (to a known number, not one in the email) for any payment instruction received by email, regardless of apparent sender.
Policy 9: Social Media Policy
An employee who posts confidential business information on LinkedIn or makes comments that damage your brand creates reputational and legal risk. A social media policy establishes boundaries without being unnecessarily restrictive.
What the policy needs to cover:
- Employees may identify their employer but must make clear their views are personal
- Prohibition on sharing confidential business information, client details, or non-public financial information
- Prohibition on making disparaging statements about clients, competitors, or colleagues
- Prohibition on impersonating the company or speaking on its behalf without authorisation
- Photography and video in the workplace - what can and cannot be shared
Policy 10: Data Retention and Disposal Policy
Data you no longer need is still a liability. If you retain customer data indefinitely, you increase the scope of any breach and may be in violation of the Privacy Act 1988. A data retention policy sets clear timelines for how long different categories of data are kept and how they are securely disposed of.
Minimum requirements:
- Retention schedules by data category (7 years for financial records, consistent with ATO requirements; varies by industry for other data types)
- Secure disposal procedures for physical media (shredding for documents; certified data destruction for hard drives)
- Cloud data deletion procedures - what happens to cloud data when you cancel a subscription?
- Employee data retention on departure - what is kept and for how long?
Getting Your Policies Used, Not Just Written
A policy document that sits in a drawer is worthless. For policies to be effective:
- Employees must read and sign them. Include IT policy acknowledgement in your onboarding paperwork and get a signature.
- Policies must be accessible. Store them on your intranet or SharePoint where employees can find them.
- Policies must be reviewed annually. The technology landscape changes; policies written in 2022 may be materially outdated.
- Violations must have consequences. A policy is only as strong as its enforcement.
If you need help implementing the technical controls that enforce these policies - such as application control, device management via Intune, and email security configuration - book a Right Fit Call with CX IT Services.
