Cybersecurity Policy Checklist
A simple starting point for small and mid-sized businesses. You don’t need everything—start with what matters most.
Core Policies
| Policy |
Description |
In Place |
| Acceptable Use | How employees use systems, email, and internet | |
| Password / MFA | Password rules and multi-factor authentication | |
| Access Control | Who has access to what systems and data | |
| Device Security | Laptops, phones, and endpoint protection | |
Data & Risk
| Data Protection | How sensitive data is stored and handled | |
| Backup & Recovery | Backup frequency and restore capability | |
| Vendor Management | Tracking and evaluating third-party risk | |
| Risk Management | Identifying and tracking key risks | |
Incident Readiness
| Incident Response | Steps to take during a security event | |
| Security Awareness | Basic employee training (phishing, etc.) | |
| Logging & Monitoring | Ability to detect suspicious activity | |
