ESGComplete

Compliance guide

Cyber Security Policy Template

A cyber security policy sets out how your business protects its systems, data and people from digital threats. Whether a customer asks for a cyber security, information security or IT security policy, they mean the same core document, and this guide gives you a free template, a framework map, and a done-for-you option.

Get it done for you->See the template

Last updated

Key takeaways

  • A cyber security policy is the umbrella document that states your security commitments and points to the specific rules behind them (passwords, access, data, incidents).
  • Cyber security, information security (infosec) and IT security policy are used interchangeably; an ISMS policy is the same thing framed under ISO 27001.
  • It's now a routine ask in customer security reviews, vendor questionnaires and tenders, often before anyone will share data with you.
  • It usually references a framework: ISO 27001/27002, the NIST Cybersecurity Framework, CIS Controls, SOC 2, or a national baseline like the UK's Cyber Essentials or Australia's Essential Eight.
  • Start with this overarching policy, then add the supporting policies it links to below.

What is a cyber security policy?

A cyber security policy is a written document that sets out how your organisation keeps its information and systems secure, who is responsible, and what everyone is expected to do. It's the high-level statement that ties together the more specific rules, like how passwords work, who can access what, how data is handled, and what happens when something goes wrong.

For most small and medium businesses it's the document a customer's security team asks for before sharing data or signing a contract. A clear, genuine policy that reflects how you actually work beats a long generic one.

This is a practical guide, not security or legal advice. If you handle regulated data (health, payment card, government), check the specific standard that applies to you.

Cyber security vs information security vs IT security policy

These terms overlap so much that, for a policy document, you can treat them as the same thing:

  • Information security policy (infosec), the broadest term; protecting information in any form, including paper. It's the language ISO 27001 uses.
  • Cyber security policy, focuses on protection from digital/online threats. The most common search term and the one customers tend to use.
  • IT security policy, frames it around your IT systems and technology specifically.
  • ISMS policy, the top-level policy within an Information Security Management System under ISO 27001, again, the same core document.

Pick the title your customers use most. The content matters far more than the label.

Frameworks a cyber security policy can reference

You don't need certification to align your policy with a recognised framework, and naming one tells a reviewer you understand the standard they care about:

  • ISO/IEC 27001 & 27002, the international standard for information security management and its catalogue of controls.
  • NIST Cybersecurity Framework (CSF), a widely used model organised around Identify, Protect, Detect, Respond and Recover.
  • CIS Controls, a prioritised, practical set of safeguards that's friendly to smaller teams.
  • SOC 2, common in software/SaaS, focused on trust service criteria including security.
  • National baselines, the UK's Cyber Essentials and Australia's Essential Eight (ACSC) are pragmatic starting points.
If a customer's questionnaire mentions a specific framework, mirror its language in your policy. It makes their review faster and your answer more credible.

What to include: cyber security policy template structure

Adapt this outline. Keep the main policy readable, then let the supporting policies hold the detail:

  1. Purpose and scope, why the policy exists and who/what it covers (staff, contractors, systems, data).
  2. Roles and responsibilities, who owns security and what every worker must do.
  3. Acceptable use, how company systems, devices and internet/email may be used.
  4. Access control, the principle of least privilege and how access is granted and removed.
  5. Passwords and authentication, password rules and multi-factor authentication.
  6. Data protection and classification, how information is classified, stored, shared and disposed of.
  7. Devices and endpoints, laptops, mobiles, BYOD, updates and anti-malware.
  8. Network and remote working, secure connections, Wi-Fi and working away from the office.
  9. Incident response, how security incidents are reported and handled.
  10. Backups and continuity, how data is backed up and restored.
  11. Third parties and vendors, security expectations for suppliers with access to your data.
  12. Awareness and training, how staff are trained to spot phishing and other threats.
  13. Compliance, monitoring and review, the framework you follow, how you monitor, and how often you review the policy.
Reviewers look hardest at access control, passwords/MFA, data handling and incident response. Make those concrete rather than aspirational.

Download the editable cyber security policy template

Add your email and we'll send the full cyber security policy template in Word and PDF, structured so you can drop in the supporting policies below.

Supporting policies

The overarching policy works best when a handful of specific policies sit beneath it. The most commonly requested ones, each with their own free template:

How to implement your cyber security policy

A policy only reduces risk if people follow it and it reflects what you actually do.

  1. 1

    Pick a framework to anchor to

    Choose the framework your customers care about (ISO 27001, NIST CSF, Essential Eight) and align your language to it.

  2. 2

    Adapt the policy to your business

    Reflect your real systems, tools and ways of working rather than describing an idealised setup.

  3. 3

    Add the supporting policies

    Put the password, access, data, incident and network policies in place beneath it.

  4. 4

    Approve and communicate

    Have it approved by management, then share it and cover it in induction.

  5. 5

    Train your team

    Run basic awareness training, phishing is still the most common way in.

  6. 6

    Review regularly

    Review at least annually and after any incident or major system change.

Free template vs done-for-you document

Comfortable adapting it and writing the supporting policies yourself? The free template is all you need. Facing a customer security review with a deadline? The done-for-you version arrives written and aligned to your framework.

Free templateDone-for-you document
Price£0Fixed fee
Effort from youA day or two editingA short intake form
Aligned to a frameworkYou map itISO 27001 / NIST / Essential Eight
Supporting policiesYou write themIncluded as a set
Security-review readyFormat it yourselfSupplied as a clean PDF
If a reviewer pushes backYou fix itWe revise it free

Prefer your cyber security policy done for you?

Tell us about your systems and the framework your customers ask about, and we'll prepare a tailored cyber security policy (with the supporting policies) built to pass security reviews.

Requests for the cyber security policy are reviewed and prepared manually, we'll follow up by email.

Frequently asked questions

Is this cyber security policy template free?+
Yes. The structure, the framework guidance and the supporting-policy outline are free to use. The only paid option is having a tailored set prepared for you.
Is a cyber security policy the same as an information security policy?+
For most businesses, yes. Information security is technically the broader term (it covers information in any form), but as policy documents the two, plus an IT security policy and an ISO 27001 ISMS policy, cover the same ground. Use the title your customers use.
Does a small business really need one?+
If customers share data with you or you bid for work, almost certainly. Security questionnaires and tenders routinely ask for a cyber security policy, and having one ready wins time and trust.
Which framework should I reference?+
Pick the one your customers mention. ISO 27001 and the NIST CSF are the most common internationally; Cyber Essentials (UK) and the Essential Eight (Australia) are pragmatic baselines. You can align to a framework without being certified.
How long should it be?+
Keep the overarching policy short and readable, often just a few pages, and let the supporting policies carry the detail. Clarity and accuracy matter more than length.

Supporting policies & related guides

Password Policy Template->Password and MFA rules.Access Control Policy Template->Least privilege and access management.Data Security Policy Template->Data classification and protection.Incident Response Policy Template->Detect, report and handle incidents.Network Security Policy Template->Networks, Wi-Fi and remote access.AI Acceptable Use Policy Template->Rules for using AI tools safely.