Cybersecurity Policy Clause Library For The United Kingdom
Clause Name | Clause Description | Typical Applicability | Drafting Notes | Importance Level |
|---|---|---|---|---|
Governance | ||||
Policy Purpose And Scope | Defines the policy objectives, covered systems, users, locations, data, and business activities. | All Organisations | Specify whether contractors, subsidiaries, cloud services, and personal devices are in scope. | High |
Security Roles And Responsibilities | Allocates security duties to directors, managers, IT staff, employees, and third parties. | All Organisations | Name job roles rather than individuals where possible to avoid frequent updates. | High |
Board And Senior Management Oversight | Requires leadership oversight of cyber risk, security investment, reporting, and policy compliance. | Medium-sized Business, Large Enterprise, Regulated Organisation | Include reporting frequency, risk owners, escalation thresholds, and board committee involvement. | High |
Cyber Risk Assessment | Requires periodic identification, assessment, treatment, and review of cybersecurity risks. | All Organisations | Align risk scoring with the organisation's existing enterprise risk framework. | High |
Information Security Management Framework | Sets the policy framework for controls, procedures, audits, improvement, and management review. | Medium-sized Business, Large Enterprise, Regulated Organisation | State whether the organisation follows ISO 27001, Cyber Essentials, or internal standards. | Medium |
Cyber Risk Appetite | Defines the level of cyber risk the organisation is prepared to accept. | Medium-sized Business, Large Enterprise, Regulated Organisation | Use measurable thresholds for outage, financial loss, data exposure, and regulatory impact. | Medium |
Legal And Regulatory Compliance | Requires cybersecurity activities to comply with applicable UK laws, regulations, and contracts. | All Organisations | Refer to UK GDPR, DPA 2018, PECR, sector rules, and customer security obligations as applicable. | High |
Data Protection | ||||
Personal Data Security Measures | Requires appropriate technical and organisational measures for securing personal data. | All Organisations | Reflect risk, processing nature, costs, encryption, resilience, testing, and restoration capability. | High |
Data Protection Accountability | Requires records, controls, evidence, and ownership to demonstrate compliance with data protection principles. | All Organisations | Link the cybersecurity policy to privacy notices, ROPA, DPIAs, and processor contracts. | High |
Data Protection Act 2018 Compliance | Recognises UK domestic data protection requirements supplementing UK GDPR obligations. | All Organisations | Use where the policy handles employee, customer, special category, or criminal offence data. | High |
Information Classification | Classifies information by sensitivity so handling, storage, sharing, and disposal controls are proportionate. | All Organisations | Keep labels simple, such as public, internal, confidential, and restricted. | High |
Secure Data Handling | Sets rules for collecting, storing, transmitting, copying, printing, and deleting sensitive information. | All Organisations | Include practical examples for emails, spreadsheets, shared drives, CRM data, and HR files. | High |
Data Minimisation | Requires collection and retention of only the data needed for defined business purposes. | All Organisations | Cross-reference retention schedules, access controls, and system design requirements. | High |
Data Retention And Secure Disposal | Sets retention periods and secure deletion or destruction requirements for records and devices. | All Organisations | State approved deletion methods for cloud accounts, storage media, paper files, and backups. | High |
Encryption Of Data At Rest And In Transit | Requires encryption for sensitive data on devices, removable media, backups, and networks. | All Organisations | Specify encryption standards, key ownership, MFA for admin consoles, and exceptions approval. | High |
Pseudonymisation And Anonymisation | Promotes de-identification techniques to reduce privacy and security risk when using personal data. | Medium-sized Business, Large Enterprise, Regulated Organisation | Distinguish anonymised data from pseudonymised personal data, which remains regulated. | Medium |
Data Loss Prevention | Defines controls to detect and prevent unauthorised transfer or disclosure of sensitive information. | Medium-sized Business, Large Enterprise, Regulated Organisation | Cover email rules, cloud sharing, USB restrictions, logging, alerts, and exception handling. | Medium |
International Data Transfers | Controls transfers of personal data outside the UK to ensure lawful safeguards are used. | All Organisations | Mention UK IDTA, UK Addendum, adequacy regulations, and supplier transfer assessments where relevant. | High |
Data Protection Impact Assessments | Requires privacy risk assessments for high-risk processing, technologies, or major system changes. | Medium-sized Business, Large Enterprise, Regulated Organisation | Trigger DPIAs for monitoring, profiling, special category data, AI tools, or large-scale processing. | High |
Data Protection By Design And Default | Embeds privacy and security controls into systems, processes, and default settings. | All Organisations | Require security review before launching new products, services, integrations, and AI tools. | High |
Security Support For Data Subject Rights | Ensures systems can locate, export, restrict, correct, or delete personal data when required. | All Organisations | Coordinate with privacy procedures so security staff know verification and response rules. | Medium |
Access Control | ||||
Access Control Principles | Sets rules for granting, reviewing, modifying, and removing access to systems and data. | All Organisations | Use least privilege, need-to-know, unique accounts, and documented approvals. | High |
Least Privilege Access | Limits user permissions to the minimum required for legitimate work activities. | All Organisations | Define approval steps for elevated rights and require periodic permission recertification. | High |
User Joiner Mover Leaver Controls | Controls account creation, role changes, suspension, and deletion when staff join, move, or leave. | All Organisations | Set deadlines for access removal, especially for terminated staff and privileged users. | High |
Password And Passphrase Requirements | Sets requirements for strong, unique, protected passwords or passphrases. | All Organisations | Avoid outdated forced rotation unless compromise is suspected allow password managers. | High |
Multi-Factor Authentication | Requires additional authentication factors for important systems, remote access, and privileged accounts. | All Organisations | Prioritise email, cloud admin, finance, HR, VPN, code repositories, and customer portals. | High |
Privileged Access Management | Controls administrator accounts through approval, separation, monitoring, and enhanced authentication. | Medium-sized Business, Large Enterprise, Regulated Organisation | Require named admin accounts, no routine use of admin rights, and emergency access logging. | High |
Remote Access Security | Sets controls for accessing corporate systems from home, public networks, or offsite locations. | All Organisations | Cover MFA, VPN or secure access tools, device posture, screen privacy, and public Wi-Fi. | High |
Bring Your Own Device Controls | Sets conditions for using personal devices to access business systems or data. | Small Business, Medium-sized Business | Address MDM, encryption, patching, separation of personal data, monitoring, and wipe consent. | Medium |
Periodic Access Reviews | Requires regular checks that users still need the permissions assigned to them. | Medium-sized Business, Large Enterprise, Regulated Organisation | Set review frequency by risk level and include managers, system owners, and IT administrators. | High |
Prohibition On Shared Accounts | Requires unique user accounts to support accountability, logging, and incident investigation. | All Organisations | Allow tightly controlled exceptions only for break-glass or legacy systems. | High |
Session Timeout And Screen Locking | Requires automatic locking and timeout controls to reduce unauthorised access risk. | All Organisations | Set practical timeout periods by device type, workplace setting, and data sensitivity. | Medium |
Operational Security | ||||
Asset Inventory And Ownership | Requires an up-to-date inventory of hardware, software, cloud services, and data assets. | All Organisations | Assign asset owners and include SaaS, domains, certificates, mobile devices, and shadow IT. | High |
Secure Configuration | Requires systems and devices to be hardened, configured securely, and unnecessary services removed. | All Organisations | Include baseline builds, default password removal, auto-locking, firewall settings, and approved images. | High |
Patch And Vulnerability Management | Requires timely identification, prioritisation, testing, and installation of security updates. | All Organisations | Set deadlines for critical, high, medium, and low vulnerabilities, including unsupported software rules. | High |
Malware Protection | Requires controls to prevent, detect, quarantine, and respond to malware and ransomware. | All Organisations | Cover endpoint protection, application allow-listing, macro controls, downloads, and alert handling. | High |
Backup And Restore | Requires reliable backups and tested restoration to recover from ransomware, error, or system failure. | All Organisations | Specify frequency, retention, offline or immutable copies, encryption, ownership, and restore testing. | High |
Security Logging And Monitoring | Requires collection and review of security logs to detect misuse, attacks, and failures. | Medium-sized Business, Large Enterprise, Regulated Organisation | Balance monitoring with employee privacy notices, retention periods, and access restrictions. | High |
Network Security | Sets controls for firewalls, segmentation, secure protocols, wireless networks, and perimeter defence. | All Organisations | Define guest Wi-Fi, admin interfaces, inbound access, VPNs, and cloud network security controls. | High |
Vulnerability Scanning | Requires regular scanning to identify exposed services, misconfigurations, and known vulnerabilities. | Medium-sized Business, Large Enterprise, Regulated Organisation | Set scan frequency, scope, remediation ownership, and treatment of internet-facing assets. | Medium |
Penetration Testing | Provides for authorised security testing of systems, applications, networks, and cloud environments. | Medium-sized Business, Large Enterprise, Regulated Organisation | Require written scope, safe testing windows, reporting, remediation tracking, and legal authorisation. | Medium |
Security Change Management | Requires security review and approval for material technology, configuration, and process changes. | Medium-sized Business, Large Enterprise, Regulated Organisation | Include emergency changes, rollback plans, segregation of duties, and post-change checks. | Medium |
Secure Software Development | Requires secure design, coding, review, testing, deployment, and maintenance practices. | Medium-sized Business, Large Enterprise, Regulated Organisation | Cover code review, secrets handling, dependency checks, CI/CD access, and vulnerability remediation. | High |
Cloud Services Security | Sets security expectations for selecting, configuring, monitoring, and managing cloud services. | All Organisations | Address shared responsibility, regions, encryption, identity integration, logging, backups, and exit. | High |
Email Security | Sets measures to reduce phishing, spoofing, malware, and accidental disclosure through email. | All Organisations | Cover DMARC, SPF, DKIM, attachment controls, encryption, external banners, and reporting suspicious emails. | High |
Removable Media Controls | Restricts USB drives and other removable media to reduce malware and data loss risk. | All Organisations | Require approval, encryption, malware scanning, asset tracking, and secure disposal. | Medium |
Mobile Device Security | Sets controls for smartphones, tablets, laptops, and portable devices used for business. | All Organisations | Include encryption, PIN or biometric lock, MDM, patching, lost device reporting, and remote wipe. | High |
Physical Security Of IT Assets | Protects devices, servers, networking equipment, paper records, and storage media from unauthorised access. | All Organisations | Cover secure rooms, visitor access, clear desk rules, CCTV notices, and home-working storage. | Medium |
Cyber Resilience And Business Continuity | Links cybersecurity controls to continuity planning for outages, ransomware, and critical supplier failure. | All Organisations | Define recovery time objectives, manual workarounds, crisis roles, communications, and test frequency. | High |
Incident Management | ||||
Security Incident Management | Defines how security incidents are identified, reported, assessed, contained, investigated, and closed. | All Organisations | Include severity levels, response roles, contact routes, escalation timings, and after-action reviews. | High |
Internal Incident Reporting Duties | Requires staff to promptly report suspected phishing, malware, lost devices, data leaks, and unusual activity. | All Organisations | Provide a simple reporting channel and state that early reporting is encouraged, not punished. | High |
Personal Data Breach Notification | Requires assessment and notification of reportable personal data breaches to the ICO without undue delay. | All Organisations | State the 72-hour ICO deadline and ensure all suspected breaches are escalated immediately. | High |
Communication To Affected Individuals | Requires notification to affected individuals where a personal data breach creates high risk. | All Organisations | Prepare templates but require legal or DPO review before external communications. | High |
Incident Evidence Preservation | Preserves logs, devices, files, communications, and forensic evidence during investigations. | Medium-sized Business, Large Enterprise, Regulated Organisation | Include chain of custody, legal privilege considerations, and restrictions on unauthorised system changes. | Medium |
Ransomware Response | Sets immediate actions for ransomware containment, recovery, communications, and escalation. | All Organisations | Cover isolation, backup restoration, insurer contact, NCSC reporting, legal review, and payment authority. | High |
External Cyber Incident Reporting | Identifies when incidents may be reported to the NCSC, Action Fraud, police, insurers, or regulators. | All Organisations | Avoid promising notification in every case require assessment against legal and contractual duties. | Medium |
Post-Incident Review And Lessons Learned | Requires root cause analysis, remediation tracking, control improvements, and management reporting after incidents. | All Organisations | Set responsibility for action owners, deadlines, evidence, and policy or training updates. | High |
Supplier Management | ||||
Supplier Security Due Diligence | Requires assessment of supplier security before onboarding and during the relationship. | All Organisations | Assess access to systems, data sensitivity, certifications, subcontractors, location, and incident history. | High |
Supplier Security Contract Terms | Requires contracts to include security controls, confidentiality, audit rights, incident notification, and exit duties. | All Organisations | Coordinate with procurement and legal teams include flow-down obligations for subcontractors. | High |
Processor Security Obligations | Requires written terms and security obligations for suppliers processing personal data. | All Organisations | Include Article 28 terms, audit assistance, breach notice, subprocessors, return, and deletion. | High |
Third-Party Access To Systems | Controls supplier, contractor, and support access to corporate networks, applications, and data. | All Organisations | Require named accounts, MFA, time-limited access, monitoring, approvals, and prompt removal. | High |
Supplier Incident Notification | Requires suppliers to notify the organisation promptly of security incidents affecting services or data. | All Organisations | Set short notification periods so UK GDPR and customer deadlines can still be met. | High |
Ongoing Supplier Security Review | Requires periodic review of supplier security posture, compliance evidence, and service risk. | Medium-sized Business, Large Enterprise, Regulated Organisation | Tier suppliers by criticality and request updated certificates, questionnaires, reports, or attestations. | Medium |
Supplier Exit And Data Return | Sets requirements for termination, access revocation, data return, deletion, and transition support. | All Organisations | Require deletion certificates, format of returned data, transfer assistance, and survival of confidentiality duties. | Medium |
Employee Responsibilities | ||||
Acceptable Use Of IT Systems | Sets permitted and prohibited use of business devices, networks, applications, email, and internet access. | All Organisations | Be clear on personal use, illegal content, monitoring, social media, downloads, and disciplinary consequences. | High |
Cybersecurity Awareness Training | Requires staff to receive security awareness training suitable for their role and risks. | All Organisations | Include induction, annual refreshers, phishing, passwords, data handling, and role-specific modules. | High |
Phishing And Social Engineering | Sets expectations for recognising, avoiding, and reporting phishing and social engineering attempts. | All Organisations | Include suspicious email reporting, finance call-back checks, QR phishing, SMS, and voice scams. | High |
Employee Confidentiality Duties | Requires staff to protect confidential information and personal data during and after employment. | All Organisations | Align with employment contracts, NDAs, disciplinary policies, and post-termination obligations. | High |
Clear Desk And Clear Screen | Requires staff to secure papers, devices, screens, and credentials when unattended. | All Organisations | Apply proportionately to offices, shared workspaces, home offices, and customer sites. | Medium |
Home And Hybrid Working Responsibilities | Sets staff duties for secure working from home, coworking spaces, hotels, and travel locations. | All Organisations | Cover privacy, device storage, family access, printing, calls, screen visibility, and secure disposal. | High |
Policy Breach And Disciplinary Action | Explains that policy breaches may lead to access removal, investigation, disciplinary action, or termination. | All Organisations | Align with UK employment procedures, staff handbook, contractor terms, and proportionality requirements. | Medium |
Monitoring Of Systems And Users | Explains lawful monitoring of systems, networks, emails, logs, and user activity for security purposes. | All Organisations | Ensure transparency, proportionality, lawful basis, access limits, retention rules, and privacy notices. | High |
Public Disclosure And Social Media Security | Restricts disclosure of sensitive business, technical, customer, or security information in public channels. | All Organisations | Include LinkedIn, screenshots, client names, system details, photos, conferences, and recruitment posts. | Medium |
Use Of AI Tools And Generative AI | Sets rules for using AI tools without exposing confidential information, personal data, or credentials. | All Organisations | Specify approved tools, prohibited inputs, review of outputs, data protection checks, and audit logging. | High |
Governance | ||||
Security Exceptions And Waivers | Defines how exceptions to security requirements are requested, risk-assessed, approved, and reviewed. | Medium-sized Business, Large Enterprise, Regulated Organisation | Require expiry dates, compensating controls, business owner acceptance, and central exception registers. | Medium |
Policy Review And Maintenance | Requires scheduled and event-driven review of the cybersecurity policy and supporting procedures. | All Organisations | Review at least annually and after incidents, legal changes, audits, mergers, or major system changes. | High |
What Clauses Should A UK Cybersecurity Policy Usually Include?
A robust UK cybersecurity policy normally combines governance, access control, data protection, incident management, operational security, supplier controls, and employee duties. Clauses on personal data, breach reporting, access control, staff training, backups, malware protection, and supplier security are especially important because they connect directly to UK GDPR accountability, ICO expectations, Cyber Essentials controls, and common contractual requirements.
Which Clauses Are Most Important For UK GDPR Compliance?
Clauses dealing with data classification, lawful handling of personal data, data retention, encryption, breach escalation, processor management, data subject rights, DPIAs, and privacy by design are particularly important for organisations handling personal data. UK GDPR and the Data Protection Act 2018 require organisations to implement appropriate technical and organisational measures and to be able to demonstrate accountability.
How Should Incident Reporting Be Drafted In A UK Policy?
Incident clauses should clearly define what counts as a security incident, who must be notified internally, how evidence is preserved, and when legal, customer, ICO, NCSC, insurer, or law enforcement reporting may be needed. For personal data breaches, the policy should support rapid assessment because reportable breaches must generally be notified to the ICO within 72 hours of awareness.
Why Are Supplier Security Clauses Important?
Many UK organisations rely on cloud providers, payroll systems, IT support companies, SaaS tools, and outsourced processors. Supplier clauses should require due diligence, written processing terms where personal data is involved, security obligations, audit rights, incident notification, subcontractor controls, and exit arrangements. This is important because outsourced services do not remove the organisation's accountability for security or data protection compliance.
How Should Small Businesses Use This Clause Library?
Small businesses should prioritise concise clauses covering password and MFA rules, device security, email and phishing, software updates, backups, incident reporting, acceptable use, remote working, and supplier checks. More complex clauses, such as SIEM monitoring, formal ISO 27001 governance, penetration testing programmes, and data loss prevention, can be adapted proportionately as the business grows or enters regulated or enterprise customer supply chains.

FAQs
You Might Also Be Interested In



