Company IT & Security Policy

2025/2026 Example IT & Security Policy for SME using MS365

This document may not be redistributed but can be used or modified for internal business use.


I. Access and Security: The First Line of Defence

The security of our company’s IT infrastructure relies on controlled access and empowered employees serving as our first line of defence. Failure to comply can result in legal action and significant costs to the company from regulatory fines, service fees, and intellectual property loss.

1. Securing Your Accounts: Passwords, Passkeys & 2FA

This policy applies to all accounts used for work, including internal company systems (e.g., Office 365, Windows Login) and any external websites or services. Your credentials are the primary key to company data, and securing them is your most critical responsibility.

  • A. Credential Strength & Uniqueness
    • Passwords: Where used, passwords must be a minimum of 12 random characters, containing a mix of uppercase letters, lowercase letters, numbers, and symbols (if possible).
    • Passkeys: Where available, using a Passkey is a preferred and highly secure alternative to a traditional password.
    • Uniqueness: You must use a completely different, unique password or passkey for every single website and service. Reusing credentials, even for non-critical sites, is a serious security violation.
  • B. Mandatory Two-Factor Authentication (2FA)
    • 2FA (or a Passkey) must be enabled on all company systems and any external service that supports it. This is a critical layer of security.
    • Once enabled, you must never disable, delete, or remove 2FA or its associated authenticator app from your mobile device. Disabling 2FA on high-risk systems (Email, OneDrive, SharePoint, etc.) puts the entire company at immediate risk of cyber infiltration and data theft.
  • C. Secure Credential Management
    • Approved Tools: To comply with these rules, all passwords must be generated, stored, and managed using one of two IT-approved methods:
      1. The Microsoft Edge browser’s password manager, synced to your 365 profile.
      2. An IT-sanctioned password manager, such as ProtonPass.
    • Prohibited Storage: Do not write passwords down on sticky notes, in unsecured files, or use any unapproved storage method.
    • IT Recovery: When using an IT-sanctioned password manager like ProtonPass, you must set the IT Department as the emergency recovery contact.
    • Your Responsibility: You are responsible for all activity conducted using your credentials. Passwords and 2FA codes must never be shared with anyone.

2. Lock Screens When Away

You must lock your computer and mobile devices whenever you step away from your desk in an environment where a third party can access your desktop or if you maintain confidential company data. It is also possible to set a screensaver to auto-lock after 2-3 minutes.

  • How-to: On a Windows PC, press Ctrl + Alt + Del and select ‘Lock’.

3. Report Lost or Stolen Devices Immediately

Any company-issued or personal device used for work that is lost or stolen must be reported to the IT Department without delay.

4. Beware of Phishing and Social Engineering

Be vigilant against unsolicited emails, messages, or calls asking for sensitive information. Report any suspicious communication to the IT Department immediately.

  • Browser Practices: The designated and required search engine is Google which must be used with the Edge Browser (No other browsers are allowed). The browser must be synced to your 365 profile. You must be able to distinguish between a paid advertisement link and a natural search result. Never click on search result adverts, as they can be faked by attackers to redirect you to a malicious site.
  • Browser Extensions: No browser extensions are permitted except for the single, IT-approved antivirus extension. This means no voucher, shopping, ad-blocking, grammar-helper, or any other extensions.
  • Email Link and Attachment Safety: Do not click on links or open attachments in any email, even if it appears to be from another staff member, an accounts department, or the company owner. If an email prompts you to “log in” to view a document—this is a major red flag. Always verify the request through a separate communication channel (e.g., a phone call) before taking any action.

5. Secure Wi-Fi Usage

Public Wi-Fi networks must not be used for accessing sensitive company data. When working remotely, you must use a secure, password-protected network or the company-provided Virtual Private Network (VPN).

  • Internal office Wi-Fi passwords should never be shared. Use the designated Guest Wi-Fi network for any third-party access.

6. Principle of Least Privilege

Employees will only be granted access to the data and systems necessary for their job. If you find you have access to a system or data that you believe you should not, you must report this to the IT Department immediately.


II. Acceptable Use of Company Resources: Setting Clear Boundaries

This section defines how company-owned hardware, software, and internet access can be used to maintain productivity and prevent misuse.

  • Notice of Monitoring: Please be advised that all company-provided resources and systems—including office computers, mobile phones, calls, and internet usage—are subject to monitoring. This is done to ensure compliance with company policies, protect against security threats, and maintain system integrity. Employees should have no expectation of privacy when using company equipment or networks. (This is a legally accepted expectation in UK law).

7. Business Use is Priority

Company-provided IT resources are for business purposes. While minimal personal use may be acceptable, using company devices or accounts for significant personal activities (such as managing a personal business, extensive social media, or storing a large personal media library) is strictly prohibited.

8. Prohibition of Illegal Activities

Company resources must not be used for any illegal activities, including downloading copyrighted material, harassment, or accessing inappropriate content.

9. No Unauthorized Software or System Changes

  • You are prohibited from installing any software or browser add-ons without prior IT approval.
  • You are prohibited from installing alternative web browsers or changing the IT-configured default browser.
  • You are not allowed to use your work credentials to grant access to or sign up for unauthorised third-party systems.

10. Off-Site Equipment Policy

When any company equipment (e.g., laptops, mobile phones, motor vehicles) is taken away from the work environment, the following rules apply:

  • The equipment must be formally signed out.
  • It must not be used by any third party, including family, friends, or children.
  • No additional software may be installed, nor remote access granted, without explicit IT approval.
  • It should only be kept off-site for the period that is absolutely necessary for your work.
  • GPS tracking, where available, must be enabled and never disabled.
  • Ownership and Responsibility: All equipment remains the property of the company. Failure to return equipment is considered theft and will be treated accordingly.

11. Responsible Internet and Application Usage

  • Prohibited Content: Using any device on the company network to access, download, or distribute explicit, offensive, or objectionable material is strictly forbidden.
  • Productivity: Browsing social media sites, non-work-related websites, or using personal apps during work hours is prohibited, except during designated break times.
  • Network Performance: Excessive personal internet usage that impacts network performance is not permitted.

12. Professional Digital Conduct

  • Communications: All communications on company platforms must be professional and respectful.
  • Social Media: Be mindful of your social media presence (text, video, or images). Do not post confidential company information, never post about any other staff member without their permission, and never post content that could damage the company’s reputation, as this may result in legal action.

13. Respect for Copyright and Intellectual Property

Unauthorized copying or distribution of copyrighted materials is prohibited.


III. Data Handling and Protection: Safeguarding a Critical Asset

Protecting company and customer data is a legal and ethical obligation.

14. Data Classification

You must be aware of the sensitivity of the data you handle and treat it accordingly.

15. Secure Data Storage

Sensitive data must only be stored on company-approved servers, cloud storage, or encrypted devices. Storing sensitive data on personal devices or unapproved services is prohibited.

16. Data Encryption

All company laptops (that leave the business for any period) and mobile devices that store or access sensitive data must be encrypted.

17. Secure Data Transfer

When sending sensitive data, you must use encrypted email or other secure transfer methods approved by IT.

18. Proper Data Disposal

Printed documents with sensitive information must be shredded. Electronic files must be securely deleted.

19. Regular Data Backups

You are responsible for ensuring your critical work files are saved in designated network locations (e.g., OneDrive, SharePoint) for regular backup by IT.

20. Prohibition of Unauthorized Data Sharing

Company data must not be shared with unauthorized individuals or external parties. This is a strict legal requirement.

21. Reporting Data Breaches

Any suspected or confirmed data breach, no matter how small, must be reported immediately to the IT Department.


IV. Mobile & Personal Device Security: Managing a Modern Workforce

These rules manage the risks associated with using mobile and personal devices for work.

22. Mandatory Passcodes/Biometrics

All mobile devices used to access company data must be secured with a strong passcode or biometric authentication.

23. Personal Device Security Requirements (BYOD)

Personal devices used to access company data must comply with these standards:

  • The device must not be jailbroken or rooted.
  • It must not contain illegal software, peer-to-peer (P2P) clients, or hacking tools.
  • Unauthorised third-party remote access software is prohibited.
  • The operating system and all apps must be kept up-to-date.
  • It must have an IT-sanctioned antivirus application installed and running correctly. (Exceptions: iPhones and iPads. This is mandatory for all other computers and devices, including Android phones).

24. Approved Applications Only

Only company-approved applications should be used for work-related tasks on any company or personal device.

25. Regular Software Updates & Restarts

You must keep all work-related devices up-to-date.

  • Weekly Restarts: A weekly ‘Restart’ (not Shutdown) of your computers using both Windows and Mac is required.
  • Monthly Updates: Mobile device operating system updates must be performed when available or monthly.

26. Remote Wipe & Lock Capability

The IT department must have the capability to remotely lock or wipe company data from any device in case of loss or theft.


V. Software and System Management: Maintaining a Healthy IT Ecosystem

Ensuring the smooth operation of company systems requires your cooperation.

27. Adherence to Software Licensing

All software must be properly licensed. Use of pirated software is strictly prohibited.

28. System and Software Update Management

  • IT-Managed Updates: You must allow the automatic installation of updates pushed by the IT Department.
  • User-Initiated Updates: You are prohibited from manually upgrading software without prior IT approval.
  • Specific Instruction – Outlook: At this time, you must not switch to the “New Outlook” toggle. Continue using the standard, IT-deployed version of Microsoft Outlook Classic.

29. Maintenance

  • Weekly Reboots: Make sure you restart your PC once per week. Ideally on Friday.
    This means clicking the ‘Start’ icon, ‘Power’ button and then ‘Restart’ – NOT Shutdown.

30. Working with the IT Department

  • Reporting Problems: You must report any IT issues to the helpdesk in a timely manner.
  • Cooperation with Audits: You are expected to cooperate fully with any IT audits.

VI. Offboarding and Return of Company Assets

The following procedures are mandatory upon the cessation of employment or in the event of company liquidation.

  • Immediate Return of Assets: Upon termination of employment for any reason (including resignation), all company equipment, data, and assets must be returned to the company immediately.
  • Disclosure of Company Data: Employees must declare any company data stored on personal devices or in personal accounts. This data must be securely transferred back to the company and/or permanently erased under the guidance of the IT department.
  • Preservation of Access: It is strictly prohibited for an employee to change passwords, delete accounts, or take any action that would prevent or obstruct the company owner or IT department from accessing any company-related system, account, or data. All access credentials and systems must be left fully intact and accessible.


IT & Security Policy Acknowledgement

By ticking these boxes, I confirm that I have read, understood, and agree to comply with the following key points of the Company IT & Security Policy.

Access & Credentials

[  ] 1. I will use passwords that are 12+ characters long with a mix of character types.

[  ] 2. I will use a completely unique password for every website and service.

[  ] 3. I will enable Two-Factor Authentication (2FA) or Passkeys on all accounts wherever available.

[  ] 4. I will never disable 2FA or delete the authenticator application from my device.

[  ] 5. I agree to store all passwords exclusively in the Edge browser profile or an IT-approved password manager.

[  ] 6. I will never share my passwords or 2FA codes with anyone, including other staff.

[  ] 7. I will always lock my computer screen (Ctrl + Alt + Del) when I step away from it.

[  ] 8. I will report any lost or stolen company device to the IT Department without delay.

Online Security & Browsing

[  ] 9. I agree to use only the Microsoft Edge browser for all work-related activities.

[  ] 10. I will not install any browser extensions, except for the single IT-approved antivirus extension.

[  ] 11. I understand I must not click on paid advertisements in search results.

[  ] 12. I will treat unexpected emails with suspicion and will report any suspected phishing attempts.

[  ] 13. I will verify requests to click links or open attachments before doing so.

[  ] 14. I will not use public or unsecured Wi-Fi for accessing sensitive company data.

Software & Acceptable Use

[  ] 15. I understand that company IT resources are primarily for business use and are subject to monitoring.

[  ] 16. I will not use company systems to download copyrighted material or access inappropriate content.

[  ] 17. I will not install any software, applications, or new browsers without direct approval from IT.

[  ] 18. I will not use my work credentials to sign up for unauthorised third-party systems or services.

[  ] 19. I agree to allow IT to manage all system updates and will not perform manual upgrades.

[  ] 20. I will restart my computer and mobile devices at least once a week.

Data & Device Management

[  ] 21. I will save all critical work files only in approved locations like OneDrive or SharePoint.

[  ] 22. I understand company data must not be shared with unauthorised individuals or external parties.

 [ ] 23. I will report any suspected data breach to the IT Department immediately, no matter how small.

[  ] 24. I will secure any mobile or personal device used for work with a strong passcode or biometrics.

[  ] 25. I confirm any personal device used for work will have up-to-date software and IT-approved antivirus.

General Compliance & Offboarding

[  ] 26. I agree that company equipment must not be used by third parties, including family and friends.

[  ] 27. I will cooperate fully with any IT department audits and will report technical problems promptly.

[  ] 28. I agree to return all company assets immediately upon termination of my employment.

[  ] 29. I understand that I am forbidden from changing passwords or deleting data to obstruct company access.

[  ] 30. I acknowledge that non-compliance with these policies can lead to disciplinary and/or legal action.

Policy Acknowledgement and Agreement

By signing below, I acknowledge that I have received, read, and fully understood the terms of the Company IT & Security Policy.

I agree to abide by all the rules, regulations, and guidelines outlined in this document as a condition of my employment and my access to the company’s IT resources, networks, and data.

I understand that my compliance is mandatory and that failure to adhere to this policy may result in disciplinary action, up to and including termination of my employment, and may also lead to legal and/or financial liability.

Employee Name (Printed): ____________________________________________

Employee Signature: ____________________________________________

Date: ____________________________________________

Similar Posts

Leave a Reply