So you have company policies coming out of your ears, and now you have been told that you need a whole new bunch of IT paperwork on top of it all? Worse still – your clients are asking to see the new paperwork. Where do you start and what do you really need? Here, we start by taking a look at the key IT related policies and procedures you should have in your business and why you should consider them to be important.

Business continuity plan

Contrary to the belief of some businesses, this is not actually an IT specific document, essentially it is a plan to keep your business running should certain events occur that you believe are of high risk to the ongoing provision of your goods or services. In conclusion, it’s pretty much the most important document you can have in your business.

Of course IT will form a big part of this. Your business will rely heavily on IT and the failure of these systems will almost certainly be a risk you could have planned for. There are many others too – loss of access to your offices, travel disruption, loss of key staff members and failure of plant and facilities are all common risks.

Business continuity planning usually starts with a risk assessment.

IT will often play a part in mitigating the risks, or recovering from an event when the worst happens, hence its inclusion in this round-up.

Information security policy

Information is a valuable commodity. Not only to your business, your clients and you staff but also to your competitors and maybe more worryingly, to cyber criminals. Businesses also face threats in other areas – from being held to ransom, disruption and most critically to loss of reputation should a breach occur.

All of this demonstrates the importance of recording how your business protects it’s data and assets, how you expect your staff to look after them, your procedures around this and what to do should an incident occur.

Your Information Security Policy is the place to record this and it should do so in a way that your staff, clients and other business partners can understand. Your clients may well want to read this document and if you are doing a good job at protecting your information, you should want them to.

Fair usage guidelines

Much in the same way that your staff need to know how to look after business data, they need to understand how you expect them to use the business systems in general.

This could cover a wide variety of bases – from how you use the internet, social media, whether personal use of systems is allowed and if so, in what circumstances. You could even state hours and location of use if that is important to you.

Most businesses will have this in place in their employee handbook, however it’s worth reviewing to check that it fits the needs and culture of your businesses, particularly if it was provided as part of a package of HR documents.

Data breach procedure

This is a GDPR driven procedure.  In fact, you must have one to comply with the new data protection laws.  Simply put, it is a plan for what you will do as a business should you have a data breach that involves personally identifiable data.  Crucial to the plan is how you cease the cause of the breach, prevent it from happening again and whether you need to report the breach to the data subject (person whose data was breached) and the Information Commissioners Office.

However, there is an opportunity to make this more than a GDPR driven procedure.  No breach of data is likely to be good for your business, so having an easy to follow process, which all of your team understands, can only help reduce the risk to your business.

Information asset register

Our final ‘must have’ IT governance document is your information asset register.  This is an exhaustive list of all the data your business keeps, whether it falls under the domain of GDPR or not, where you keep it, how it is protected and who has access to it.  Of course if it happens to be personal data, you will need to keep the information required by GDPR as well.

Your register will be an important point of reference when carrying out business risk assessments and planning changes to the way you might use it.


It is probably fair to say that many businesses already have documented policies and procedures, but many employees and even some management may have never seen them.  Your IT governance is only effective if your business has been trained in them and understood them, so it pays to keep them as clear and concise as possible.

The best approach to ensure your policies and procedures are up to date and you have an effective IT governance plan, is to get certified to an appropriate standard.  Click here to find out more.