IT Policy: A Guide For Small Business Leaders

Business Insights
22/03/2023
Subscribe

As a small business owner, there are likely to be several challenges you are trying to get on top of this year. You may not have thought too much about your in-house IT policy yet. This is an integral part of your business and getting it wrong could damage the reputation of your business and drain resources further down the road. For that reason, we have put together a guide on how you can craft your IT policy with the help of an ISO 27001 certification. So, read on.


Policies Say What You Do

Policies are written statements about what we do. You will be familiar with policies so such as HR policies but perhaps you haven't considered a policy for IT. We should have policies that set out what we do in certain situations, but we do not include how we do it. How we do it is covered in our processes and our process documents.


Why Policies?

If we have a policy that says what we do, we can share that with people. We can share it with people to explain what is expected of them. We can share it with people to explain how we go about things.


As a small business we cannot really expect people to know what is expected of them unless we tell them.


What Policies Should We Have?

When it comes to IT, the ISO 27001 standard is a great place to start for identifying what policies you need. As the international standard for information security, it is a great baseline and benchmark for controls, processes and policies you should have in place.


Policies and Customers

One of the biggest requests for policies will be from customers and potential customers. Customers and potential customers will be very keen to understand how you approach certain topics and having policies may well be a condition of sale. As you start to grow you will come across this more and more.


Should you write policies from scratch?

Policies are not particular difficult documents to create, although they can be time consuming. As a rule, policies are fairly standard documents so there is an argument for buying Policy Templates. They should come prewritten with only minor tweaks needed to make them relevant to you. Whether you write them yourself, or download policy templates these are our top tips:


Policies Top Tips

  • Review and update them every year

  • Share them with the people that need to know

  • Have staff acknowledge that they have read and accept them


What can go wrong if you don't have policies?

There are several things that can go wrong if you don't have policies in place. It could be that staff and people that work for you don't know what is expected of them. It isn't always safe to assume that they do. Unless you have told them there is always a grey area.


When things get a bit more serious and you are in a position that you might need to invoke a disciplinary process, this can be almost impossible, unless you have told people what is expected.


Finally, without policies it may well be that you go for a piece of work with a potential new customer who requests them, and you are unable to progress to the sale.


Are Policies Dusty Shelf-ware?

They can be. There can be a perception that policies are unwieldy documents, rarely looked at that sit on a shelf gathering dust. It can be argued that these are not fit for purpose or understand what the purpose of the IT policy is. But a well-crafted policy, tailored to what you actually do, communicated, and acknowledge can have incredible benefits and help you avoid some simple, yet all too common, business pitfalls.


Author: Stuart Barker | Director at High Table the ISO 27001 Company: https://hightable.io