Cybersecurity Policy Guide
Cybersecurity Policies Every Australian SMB Needs in 2026
Having the right cybersecurity policies isn't just good practice — it's increasingly required by insurers, clients, and regulators. This guide covers the 14 policies every Australian small and medium business should have, what each one must cover, and how to create them without hiring a consultant.
Why Written Policies Matter (It's Not Just Red Tape)
Many small businesses have reasonable security controls in place but lack the documentation to prove it. This creates three problems:
Insurance claims: After a cyber incident, insurers investigate whether you had appropriate controls in place. Without written policies, it's difficult to demonstrate that staff were trained, procedures were followed, or that controls existed at all. Policy gaps are a common basis for claim disputes.
Regulatory obligations: Under the Australian Privacy Act 1988, organisations that hold personal information must take reasonable steps to protect it. The Office of the Australian Information Commissioner (OAIC) has found that the absence of written policies is itself evidence of inadequate protection.
Staff accountability: You cannot hold an employee accountable for violating a rule that was never written down. Policies create the legal and operational foundation for disciplinary action, termination, and negligence claims.
Client and partner trust: When a potential client asks "do you have an information security policy?", being able to hand them a document — not just say "yes, we take security seriously" — is a meaningful differentiator.
Australian Legal and Regulatory Context
Privacy Act 1988 and the Notifiable Data Breaches (NDB) Scheme
If your business has an annual turnover above $3 million, or operates in certain sectors (health, finance, certain government contractors), you are covered by the Privacy Act. You must notify affected individuals and the OAIC of eligible data breaches. Having an Incident Response Policy and Data Classification Policy is essential to meet these obligations.
ACSC Essential Eight Framework
Several Essential Eight controls have direct policy counterparts: patching requires a Patch Management Policy; backups require a Backup Policy; MFA requires an MFA/Access Control Policy. Achieving ACSC maturity levels without documented policies is not possible — the framework explicitly requires them at ML2 and above.
Cyber Insurance Requirements
Major cyber insurers operating in Australia (including Chubb, AIG, QBE, and others) include policy documentation requirements in their application questionnaires. Common asks include: Acceptable Use Policy, Incident Response Plan, Backup Policy, and MFA Policy.
The 14 Essential Policies
Below is a plain-English breakdown of each policy — what it covers, what it must include, and why it matters for an Australian SMB.
Information Security Policy
The umbrella policy that defines your organisation's overall commitment to information security. Sets the tone, scope, and responsibilities for all other policies.
Must cover
- — Scope of the policy (which systems, which staff)
- — Senior management commitment
- — Roles and responsibilities
- — Consequences of non-compliance
- — Review schedule
Essential — every organisation needs this regardless of size.
Acceptable Use Policy
Defines what employees can and cannot do with company systems, devices, email, and internet access.
Must cover
- — Permitted and prohibited use of devices and internet
- — Personal use guidelines
- — Monitoring disclosure
- — Social media guidance
- — Consequences of violation
Essential — required by most cyber insurers and protects you in employment disputes.
Access Control Policy
Governs who can access what systems and data, based on the principle of least privilege.
Must cover
- — User account provisioning and deprovisioning
- — Role-based access principles
- — Access review schedules
- — Privileged access management
- — Remote access requirements
Essential — directly maps to Essential Eight 'Restrict Administrative Privileges'.
Password Policy
Sets minimum standards for password creation, complexity, storage, and management.
Must cover
- — Minimum length and complexity requirements
- — Password manager usage
- — Prohibition on password sharing
- — Password reset procedures
- — Service account password management
Essential — weak passwords remain the leading cause of account compromise.
Multi-Factor Authentication (MFA) Policy
Mandates the use of MFA across specific systems and defines acceptable MFA methods.
Must cover
- — Systems requiring MFA (email, VPN, cloud services, admin accounts)
- — Approved MFA methods
- — Exceptions process
- — MFA recovery procedures
Essential — directly maps to Essential Eight 'Multi-Factor Authentication'.
Patch Management Policy
Defines how and when software and operating system updates are applied across the organisation.
Must cover
- — Patch classification (critical, high, standard)
- — Patching timelines per classification
- — Roles responsible for patching
- — Exceptions and compensating controls
- — Patch testing requirements
Essential — maps to Essential Eight 'Patch Applications' and 'Patch Operating Systems'.
Backup and Data Recovery Policy
Specifies how data is backed up, where backups are stored, and how they are tested and restored.
Must cover
- — Backup frequency and scope
- — Offline/offsite storage requirements
- — Retention periods
- — Restoration testing schedule
- — Encryption of backup data
Essential — directly maps to Essential Eight 'Regular Backups'. Critical for ransomware resilience.
Incident Response Policy / Plan
Defines how the organisation detects, responds to, and recovers from a cybersecurity incident.
Must cover
- — Incident classification and severity levels
- — Response team and contact list
- — Notification requirements (Privacy Act NDB scheme)
- — Containment and recovery steps
- — Post-incident review process
Essential — required by the Privacy Act if you hold personal information. Cyber insurers expect it.
Data Classification and Handling Policy
Classifies the types of data your organisation holds and specifies how each type must be handled, stored, and transmitted.
Must cover
- — Data classification tiers (public, internal, confidential, restricted)
- — Handling requirements per classification
- — Data retention and disposal
- — Privacy Act obligations
- — Transfer and sharing restrictions
Essential if you hold customer, health, financial, or employee data — which most businesses do.
Email Security Policy
Sets standards for safe email use, including handling of attachments, links, and suspicious messages.
Must cover
- — Reporting of suspicious emails
- — Rules for attachments and links
- — Use of personal email for business
- — Email filtering requirements
- — Macro and script handling
Essential — email is the primary attack vector for phishing, ransomware, and BEC attacks.
Endpoint Security and Hardening Policy
Defines the security configuration standards for workstations, laptops, and mobile devices.
Must cover
- — Required security software (EDR/antivirus)
- — Disk encryption requirements
- — Screen lock and idle timeout
- — USB and external media controls
- — Approved software list
Essential — maps to Essential Eight 'User Application Hardening' and 'Application Control'.
Remote Work Security Policy
Governs how employees work from home or other non-office locations securely.
Must cover
- — VPN requirements
- — Home network security expectations
- — Physical security of devices
- — Public Wi-Fi restrictions
- — Screen privacy in public spaces
Essential for any organisation with staff working remotely — now the majority of Australian businesses.
Third-Party and Vendor Management Policy
Sets requirements for assessing and managing the security practices of external vendors, contractors, and service providers.
Must cover
- — Vendor security assessment requirements
- — Data processing agreements (for Privacy Act)
- — Access controls for third parties
- — Incident notification requirements
- — Offboarding procedures
Important — third-party breaches are a leading cause of data incidents. Required if you share data with vendors.
Security Awareness Training Policy
Defines the security training requirements for all staff, including frequency, content, and accountability.
Must cover
- — Mandatory training schedule
- — Phishing simulation requirements
- — Role-specific training for IT and admin staff
- — Onboarding training for new employees
- — Training records and attestation
Essential — humans remain the weakest link. Training compliance is increasingly required by insurers.
How to Create These Policies Without a Consultant
Hiring a cybersecurity consultant to write your policies from scratch typically costs $5,000–$15,000 for a basic set. For most small businesses, this is out of reach — and often unnecessary for ML1/ML2 compliance purposes.
The practical alternatives are:
Option 1: Use a template and customise it yourself
Templates provide the structure; you fill in your company details and make sure the content reflects your actual practices. The risk is that generic templates may not address your specific industry, size, or gaps. Allow 2-4 hours per policy to customise properly.
Option 2: Use an policy generator (like EssentialScore)
EssentialScore generates policies customised to your organisation's profile and assessment results. It tailors content based on your industry, staff count, and identified gaps — so the policies reflect your actual situation rather than a generic template. This is the fastest path to a working policy set.
Option 3: Engage an MSP or IT security consultant
Appropriate for businesses where policies will be audited externally (government contracts, formal ISO 27001 roadmaps, or where the organisation has complex or sensitive data environments). Expect $200–$500/hour or $5k–$15k for a full policy suite.
Generate Your Policies Based on Your Assessment
Take the free Essential Eight assessment, see which policies you actually need, then generate customised versions for your organisation — in one afternoon.