1. The “Must Haves”

These six create the foundation of IT governance and protect against the most common risks SMBs face

• Acceptable Use Policy (AUP): Sets rules for how employees use company systems, email, and internet access.
• Password / Authentication Policy: Defines password requirements, MFA use, and account security.
• Access Control Policy: Manages user permissions, account creation, and termination processes.
• Data Backup & Retention Policy: Ensures data is regularly backed up, retained properly, and recoverable.
• Incident Response Plan (IRP): Provides clear steps to follow during a cybersecurity or IT incident.
• Business Continuity & Disaster Recovery (BCDR): Outlines how the business will continue operating during outages or disasters.

2. Core IT & Security Policies

• Access Control Policy
• Password / Authentication Policy
• Data Classification & Handling Policy
• Encryption Policy
• Endpoint Security Policy
• Network Security Policy

3. Operational & Usage Policies

• Remote Work / Telecommuting Policy
• Email & Communication Policy
• Bring Your Own Device (BYOD) Policy
• Software Usage & Licensing Policy
• Change Management Policy

4. Compliance & Risk Policies

• Vendor & Third-Party Risk Management Policy
• Privacy Policy (internal)
• Log Retention & Monitoring Policy
• Backup & Retention Policy
• Patch & Vulnerability Management Policy

5. Incident & Continuity Policies

• Incident Response Plan (IRP)
• Business Continuity & Disaster Recovery (BCDR)
• Disaster Recovery Testing Policy
• Physical Security Policy