All businesses need an overview of the company's IT security policies. With an IT policy, good decisions are made to ensure security - across the organization.

What is an IT policy?

An IT policy is the management's control document for IT security in the company. The policy describes the long-term guidelines and priorities the company should follow to ensure good IT security in the company.

The IT policy should clearly and simply describe the considerations and security principles that the company relies on to ensure goals and values. The policy should, among other things, describe the overall security goals for the company and address the business's risk areas. A good tip is to include some measurable goals, so that after a while, you can review whether the policy is sufficient.

The IT policy establishes the basis for the company's IT instructions, and the policy should therefore not address detailed guidelines, routines, various security measures, or describe the use of technology. This information should be found in the IT instructions. 

For the policy to function as a useful IT tool, it is important that it is anchored in the entire company - not just in management. The policy must be made available to the employees so that they can familiarize themselves with it and work according to the guidelines stated there. An IT policy should be short, concise, and preferably not described in more than two A4 pages. 

Why do you need an IT policy?

As mentioned, the IT policy is the management's control document for IT security, and the IT instructions describe the guidelines and security measures in detail. So if there is a detailed instruction, why would you need a policy?

Well, the IT policy provides all departments in the company with a common security platform to work from. With a set of common guidelines, good decisions and consistent choices can be made regarding IT security. This makes it easier when purchasing digital services and equipment, or entering into supplier agreements and new collaborations.