Docaro

Cybersecurity Policy Clause Library For The United Kingdom

Created:
This clause library helps you quickly find relevant cybersecurity policy wording for UK organisations, saving time and improving consistency. Use it alongside the AI Generated Information Security Policy for use in the United Kingdom category page to build practical, aligned policies.
Clause Name
Clause Description
Typical Applicability
Drafting Notes
Importance Level
Governance
Policy Purpose And Scope
Defines the policy objectives, covered systems, users, locations, data, and business activities.
All Organisations
Specify whether contractors, subsidiaries, cloud services, and personal devices are in scope.
High
Security Roles And Responsibilities
Allocates security duties to directors, managers, IT staff, employees, and third parties.
All Organisations
Name job roles rather than individuals where possible to avoid frequent updates.
High
Board And Senior Management Oversight
Requires leadership oversight of cyber risk, security investment, reporting, and policy compliance.
Medium-sized Business, Large Enterprise, Regulated Organisation
Include reporting frequency, risk owners, escalation thresholds, and board committee involvement.
High
Cyber Risk Assessment
Requires periodic identification, assessment, treatment, and review of cybersecurity risks.
All Organisations
Align risk scoring with the organisation's existing enterprise risk framework.
High
Information Security Management Framework
Sets the policy framework for controls, procedures, audits, improvement, and management review.
Medium-sized Business, Large Enterprise, Regulated Organisation
State whether the organisation follows ISO 27001, Cyber Essentials, or internal standards.
Medium
Cyber Risk Appetite
Defines the level of cyber risk the organisation is prepared to accept.
Medium-sized Business, Large Enterprise, Regulated Organisation
Use measurable thresholds for outage, financial loss, data exposure, and regulatory impact.
Medium
Legal And Regulatory Compliance
Requires cybersecurity activities to comply with applicable UK laws, regulations, and contracts.
All Organisations
Refer to UK GDPR, DPA 2018, PECR, sector rules, and customer security obligations as applicable.
High
Data Protection
Personal Data Security Measures
Requires appropriate technical and organisational measures for securing personal data.
All Organisations
Reflect risk, processing nature, costs, encryption, resilience, testing, and restoration capability.
High
Data Protection Accountability
Requires records, controls, evidence, and ownership to demonstrate compliance with data protection principles.
All Organisations
Link the cybersecurity policy to privacy notices, ROPA, DPIAs, and processor contracts.
High
Data Protection Act 2018 Compliance
Recognises UK domestic data protection requirements supplementing UK GDPR obligations.
All Organisations
Use where the policy handles employee, customer, special category, or criminal offence data.
High
Information Classification
Classifies information by sensitivity so handling, storage, sharing, and disposal controls are proportionate.
All Organisations
Keep labels simple, such as public, internal, confidential, and restricted.
High
Secure Data Handling
Sets rules for collecting, storing, transmitting, copying, printing, and deleting sensitive information.
All Organisations
Include practical examples for emails, spreadsheets, shared drives, CRM data, and HR files.
High
Data Minimisation
Requires collection and retention of only the data needed for defined business purposes.
All Organisations
Cross-reference retention schedules, access controls, and system design requirements.
High
Data Retention And Secure Disposal
Sets retention periods and secure deletion or destruction requirements for records and devices.
All Organisations
State approved deletion methods for cloud accounts, storage media, paper files, and backups.
High
Encryption Of Data At Rest And In Transit
Requires encryption for sensitive data on devices, removable media, backups, and networks.
All Organisations
Specify encryption standards, key ownership, MFA for admin consoles, and exceptions approval.
High
Pseudonymisation And Anonymisation
Promotes de-identification techniques to reduce privacy and security risk when using personal data.
Medium-sized Business, Large Enterprise, Regulated Organisation
Distinguish anonymised data from pseudonymised personal data, which remains regulated.
Medium
Data Loss Prevention
Defines controls to detect and prevent unauthorised transfer or disclosure of sensitive information.
Medium-sized Business, Large Enterprise, Regulated Organisation
Cover email rules, cloud sharing, USB restrictions, logging, alerts, and exception handling.
Medium
International Data Transfers
Controls transfers of personal data outside the UK to ensure lawful safeguards are used.
All Organisations
Mention UK IDTA, UK Addendum, adequacy regulations, and supplier transfer assessments where relevant.
High
Data Protection Impact Assessments
Requires privacy risk assessments for high-risk processing, technologies, or major system changes.
Medium-sized Business, Large Enterprise, Regulated Organisation
Trigger DPIAs for monitoring, profiling, special category data, AI tools, or large-scale processing.
High
Data Protection By Design And Default
Embeds privacy and security controls into systems, processes, and default settings.
All Organisations
Require security review before launching new products, services, integrations, and AI tools.
High
Security Support For Data Subject Rights
Ensures systems can locate, export, restrict, correct, or delete personal data when required.
All Organisations
Coordinate with privacy procedures so security staff know verification and response rules.
Medium
Access Control
Access Control Principles
Sets rules for granting, reviewing, modifying, and removing access to systems and data.
All Organisations
Use least privilege, need-to-know, unique accounts, and documented approvals.
High
Least Privilege Access
Limits user permissions to the minimum required for legitimate work activities.
All Organisations
Define approval steps for elevated rights and require periodic permission recertification.
High
User Joiner Mover Leaver Controls
Controls account creation, role changes, suspension, and deletion when staff join, move, or leave.
All Organisations
Set deadlines for access removal, especially for terminated staff and privileged users.
High
Password And Passphrase Requirements
Sets requirements for strong, unique, protected passwords or passphrases.
All Organisations
Avoid outdated forced rotation unless compromise is suspected
allow password managers.
High
Multi-Factor Authentication
Requires additional authentication factors for important systems, remote access, and privileged accounts.
All Organisations
Prioritise email, cloud admin, finance, HR, VPN, code repositories, and customer portals.
High
Privileged Access Management
Controls administrator accounts through approval, separation, monitoring, and enhanced authentication.
Medium-sized Business, Large Enterprise, Regulated Organisation
Require named admin accounts, no routine use of admin rights, and emergency access logging.
High
Remote Access Security
Sets controls for accessing corporate systems from home, public networks, or offsite locations.
All Organisations
Cover MFA, VPN or secure access tools, device posture, screen privacy, and public Wi-Fi.
High
Bring Your Own Device Controls
Sets conditions for using personal devices to access business systems or data.
Small Business, Medium-sized Business
Address MDM, encryption, patching, separation of personal data, monitoring, and wipe consent.
Medium
Periodic Access Reviews
Requires regular checks that users still need the permissions assigned to them.
Medium-sized Business, Large Enterprise, Regulated Organisation
Set review frequency by risk level and include managers, system owners, and IT administrators.
High
Prohibition On Shared Accounts
Requires unique user accounts to support accountability, logging, and incident investigation.
All Organisations
Allow tightly controlled exceptions only for break-glass or legacy systems.
High
Session Timeout And Screen Locking
Requires automatic locking and timeout controls to reduce unauthorised access risk.
All Organisations
Set practical timeout periods by device type, workplace setting, and data sensitivity.
Medium
Operational Security
Asset Inventory And Ownership
Requires an up-to-date inventory of hardware, software, cloud services, and data assets.
All Organisations
Assign asset owners and include SaaS, domains, certificates, mobile devices, and shadow IT.
High
Secure Configuration
Requires systems and devices to be hardened, configured securely, and unnecessary services removed.
All Organisations
Include baseline builds, default password removal, auto-locking, firewall settings, and approved images.
High
Patch And Vulnerability Management
Requires timely identification, prioritisation, testing, and installation of security updates.
All Organisations
Set deadlines for critical, high, medium, and low vulnerabilities, including unsupported software rules.
High
Malware Protection
Requires controls to prevent, detect, quarantine, and respond to malware and ransomware.
All Organisations
Cover endpoint protection, application allow-listing, macro controls, downloads, and alert handling.
High
Backup And Restore
Requires reliable backups and tested restoration to recover from ransomware, error, or system failure.
All Organisations
Specify frequency, retention, offline or immutable copies, encryption, ownership, and restore testing.
High
Security Logging And Monitoring
Requires collection and review of security logs to detect misuse, attacks, and failures.
Medium-sized Business, Large Enterprise, Regulated Organisation
Balance monitoring with employee privacy notices, retention periods, and access restrictions.
High
Network Security
Sets controls for firewalls, segmentation, secure protocols, wireless networks, and perimeter defence.
All Organisations
Define guest Wi-Fi, admin interfaces, inbound access, VPNs, and cloud network security controls.
High
Vulnerability Scanning
Requires regular scanning to identify exposed services, misconfigurations, and known vulnerabilities.
Medium-sized Business, Large Enterprise, Regulated Organisation
Set scan frequency, scope, remediation ownership, and treatment of internet-facing assets.
Medium
Penetration Testing
Provides for authorised security testing of systems, applications, networks, and cloud environments.
Medium-sized Business, Large Enterprise, Regulated Organisation
Require written scope, safe testing windows, reporting, remediation tracking, and legal authorisation.
Medium
Security Change Management
Requires security review and approval for material technology, configuration, and process changes.
Medium-sized Business, Large Enterprise, Regulated Organisation
Include emergency changes, rollback plans, segregation of duties, and post-change checks.
Medium
Secure Software Development
Requires secure design, coding, review, testing, deployment, and maintenance practices.
Medium-sized Business, Large Enterprise, Regulated Organisation
Cover code review, secrets handling, dependency checks, CI/CD access, and vulnerability remediation.
High
Cloud Services Security
Sets security expectations for selecting, configuring, monitoring, and managing cloud services.
All Organisations
Address shared responsibility, regions, encryption, identity integration, logging, backups, and exit.
High
Email Security
Sets measures to reduce phishing, spoofing, malware, and accidental disclosure through email.
All Organisations
Cover DMARC, SPF, DKIM, attachment controls, encryption, external banners, and reporting suspicious emails.
High
Removable Media Controls
Restricts USB drives and other removable media to reduce malware and data loss risk.
All Organisations
Require approval, encryption, malware scanning, asset tracking, and secure disposal.
Medium
Mobile Device Security
Sets controls for smartphones, tablets, laptops, and portable devices used for business.
All Organisations
Include encryption, PIN or biometric lock, MDM, patching, lost device reporting, and remote wipe.
High
Physical Security Of IT Assets
Protects devices, servers, networking equipment, paper records, and storage media from unauthorised access.
All Organisations
Cover secure rooms, visitor access, clear desk rules, CCTV notices, and home-working storage.
Medium
Cyber Resilience And Business Continuity
Links cybersecurity controls to continuity planning for outages, ransomware, and critical supplier failure.
All Organisations
Define recovery time objectives, manual workarounds, crisis roles, communications, and test frequency.
High
Incident Management
Security Incident Management
Defines how security incidents are identified, reported, assessed, contained, investigated, and closed.
All Organisations
Include severity levels, response roles, contact routes, escalation timings, and after-action reviews.
High
Internal Incident Reporting Duties
Requires staff to promptly report suspected phishing, malware, lost devices, data leaks, and unusual activity.
All Organisations
Provide a simple reporting channel and state that early reporting is encouraged, not punished.
High
Personal Data Breach Notification
Requires assessment and notification of reportable personal data breaches to the ICO without undue delay.
All Organisations
State the 72-hour ICO deadline and ensure all suspected breaches are escalated immediately.
High
Communication To Affected Individuals
Requires notification to affected individuals where a personal data breach creates high risk.
All Organisations
Prepare templates but require legal or DPO review before external communications.
High
Incident Evidence Preservation
Preserves logs, devices, files, communications, and forensic evidence during investigations.
Medium-sized Business, Large Enterprise, Regulated Organisation
Include chain of custody, legal privilege considerations, and restrictions on unauthorised system changes.
Medium
Ransomware Response
Sets immediate actions for ransomware containment, recovery, communications, and escalation.
All Organisations
Cover isolation, backup restoration, insurer contact, NCSC reporting, legal review, and payment authority.
High
External Cyber Incident Reporting
Identifies when incidents may be reported to the NCSC, Action Fraud, police, insurers, or regulators.
All Organisations
Avoid promising notification in every case
require assessment against legal and contractual duties.
Medium
Post-Incident Review And Lessons Learned
Requires root cause analysis, remediation tracking, control improvements, and management reporting after incidents.
All Organisations
Set responsibility for action owners, deadlines, evidence, and policy or training updates.
High
Supplier Management
Supplier Security Due Diligence
Requires assessment of supplier security before onboarding and during the relationship.
All Organisations
Assess access to systems, data sensitivity, certifications, subcontractors, location, and incident history.
High
Supplier Security Contract Terms
Requires contracts to include security controls, confidentiality, audit rights, incident notification, and exit duties.
All Organisations
Coordinate with procurement and legal teams
include flow-down obligations for subcontractors.
High
Processor Security Obligations
Requires written terms and security obligations for suppliers processing personal data.
All Organisations
Include Article 28 terms, audit assistance, breach notice, subprocessors, return, and deletion.
High
Third-Party Access To Systems
Controls supplier, contractor, and support access to corporate networks, applications, and data.
All Organisations
Require named accounts, MFA, time-limited access, monitoring, approvals, and prompt removal.
High
Supplier Incident Notification
Requires suppliers to notify the organisation promptly of security incidents affecting services or data.
All Organisations
Set short notification periods so UK GDPR and customer deadlines can still be met.
High
Ongoing Supplier Security Review
Requires periodic review of supplier security posture, compliance evidence, and service risk.
Medium-sized Business, Large Enterprise, Regulated Organisation
Tier suppliers by criticality and request updated certificates, questionnaires, reports, or attestations.
Medium
Supplier Exit And Data Return
Sets requirements for termination, access revocation, data return, deletion, and transition support.
All Organisations
Require deletion certificates, format of returned data, transfer assistance, and survival of confidentiality duties.
Medium
Employee Responsibilities
Acceptable Use Of IT Systems
Sets permitted and prohibited use of business devices, networks, applications, email, and internet access.
All Organisations
Be clear on personal use, illegal content, monitoring, social media, downloads, and disciplinary consequences.
High
Cybersecurity Awareness Training
Requires staff to receive security awareness training suitable for their role and risks.
All Organisations
Include induction, annual refreshers, phishing, passwords, data handling, and role-specific modules.
High
Phishing And Social Engineering
Sets expectations for recognising, avoiding, and reporting phishing and social engineering attempts.
All Organisations
Include suspicious email reporting, finance call-back checks, QR phishing, SMS, and voice scams.
High
Employee Confidentiality Duties
Requires staff to protect confidential information and personal data during and after employment.
All Organisations
Align with employment contracts, NDAs, disciplinary policies, and post-termination obligations.
High
Clear Desk And Clear Screen
Requires staff to secure papers, devices, screens, and credentials when unattended.
All Organisations
Apply proportionately to offices, shared workspaces, home offices, and customer sites.
Medium
Home And Hybrid Working Responsibilities
Sets staff duties for secure working from home, coworking spaces, hotels, and travel locations.
All Organisations
Cover privacy, device storage, family access, printing, calls, screen visibility, and secure disposal.
High
Policy Breach And Disciplinary Action
Explains that policy breaches may lead to access removal, investigation, disciplinary action, or termination.
All Organisations
Align with UK employment procedures, staff handbook, contractor terms, and proportionality requirements.
Medium
Monitoring Of Systems And Users
Explains lawful monitoring of systems, networks, emails, logs, and user activity for security purposes.
All Organisations
Ensure transparency, proportionality, lawful basis, access limits, retention rules, and privacy notices.
High
Public Disclosure And Social Media Security
Restricts disclosure of sensitive business, technical, customer, or security information in public channels.
All Organisations
Include LinkedIn, screenshots, client names, system details, photos, conferences, and recruitment posts.
Medium
Use Of AI Tools And Generative AI
Sets rules for using AI tools without exposing confidential information, personal data, or credentials.
All Organisations
Specify approved tools, prohibited inputs, review of outputs, data protection checks, and audit logging.
High
Governance
Security Exceptions And Waivers
Defines how exceptions to security requirements are requested, risk-assessed, approved, and reviewed.
Medium-sized Business, Large Enterprise, Regulated Organisation
Require expiry dates, compensating controls, business owner acceptance, and central exception registers.
Medium
Policy Review And Maintenance
Requires scheduled and event-driven review of the cybersecurity policy and supporting procedures.
All Organisations
Review at least annually and after incidents, legal changes, audits, mergers, or major system changes.
High

What Clauses Should A UK Cybersecurity Policy Usually Include?

A robust UK cybersecurity policy normally combines governance, access control, data protection, incident management, operational security, supplier controls, and employee duties. Clauses on personal data, breach reporting, access control, staff training, backups, malware protection, and supplier security are especially important because they connect directly to UK GDPR accountability, ICO expectations, Cyber Essentials controls, and common contractual requirements.

Which Clauses Are Most Important For UK GDPR Compliance?

Clauses dealing with data classification, lawful handling of personal data, data retention, encryption, breach escalation, processor management, data subject rights, DPIAs, and privacy by design are particularly important for organisations handling personal data. UK GDPR and the Data Protection Act 2018 require organisations to implement appropriate technical and organisational measures and to be able to demonstrate accountability.

How Should Incident Reporting Be Drafted In A UK Policy?

Incident clauses should clearly define what counts as a security incident, who must be notified internally, how evidence is preserved, and when legal, customer, ICO, NCSC, insurer, or law enforcement reporting may be needed. For personal data breaches, the policy should support rapid assessment because reportable breaches must generally be notified to the ICO within 72 hours of awareness.

Why Are Supplier Security Clauses Important?

Many UK organisations rely on cloud providers, payroll systems, IT support companies, SaaS tools, and outsourced processors. Supplier clauses should require due diligence, written processing terms where personal data is involved, security obligations, audit rights, incident notification, subcontractor controls, and exit arrangements. This is important because outsourced services do not remove the organisation's accountability for security or data protection compliance.

How Should Small Businesses Use This Clause Library?

Small businesses should prioritise concise clauses covering password and MFA rules, device security, email and phishing, software updates, backups, incident reporting, acceptable use, remote working, and supplier checks. More complex clauses, such as SIEM monitoring, formal ISO 27001 governance, penetration testing programmes, and data loss prevention, can be adapted proportionately as the business grows or enters regulated or enterprise customer supply chains.

Cybersecurity Policy Clause Library
Want to Generate Your own Information Security Policy?
Docaro AI can help you write your own Information Security Policy for use in the United Kingdom in minutes.
Generate Your Document Now

FAQs

It is a curated set of reusable clauses for UK cybersecurity or Information Security Policy documents, covering topics such as access control, data protection, incident response and employee responsibilities.
Show All FAQs

You Might Also Be Interested In

UK Cybersecurity Policy Requirements Map
UK cybersecurity policy requirements map for compliance, governance, and risk planning across key security obligations.
Employee Cybersecurity Responsibilities Register
United Kingdom employee cybersecurity responsibilities register for defining staff duties, ownership and security accountability.
United Kingdom Access Control and Authentication Policy Decision Tree
United Kingdom access control decision tree for authentication, permissions, and secure policy choices.
United Kingdom Cybersecurity Incident Response Policy Decision Tree
United Kingdom cybersecurity incident response decision tree for consistent, policy-aligned action during security events.

References and Information Sources