Docaro

Employee Cybersecurity Responsibilities Register In The United Kingdom

Created:
This dataset helps organisations define, assign and review employee cybersecurity duties, supporting clearer accountability and stronger compliance. It is especially useful alongside an AI Generated Information Security Policy for use in the United Kingdom.
Responsibility Name
Responsibility Description
Security Domain
Frequency
Policy Wording Notes
All Staff, Contractors
Use Strong Unique Passwords
Create passwords that are hard to guess and not reused across work and personal accounts.
Password Security
Daily
State that work passwords must be unique, confidential and not reused on non-work services.
Keep Passwords Confidential
Do not share, write down visibly, email or message passwords to anyone.
Password Security
Daily
Include a clear prohibition on password sharing, including with managers or IT support.
All Staff, IT Staff, Contractors
Use Approved Password Managers
Store work passwords only in an approved password manager where provided.
Password Security
Daily
Name the approved tool and ban storage in browsers, notes files or spreadsheets unless approved.
All Staff, Contractors, Senior Leadership
Use Multi-Factor Authentication
Use MFA for business systems and never approve unexpected authentication prompts.
Password Security
Daily
Require MFA where available and require suspicious MFA prompts to be reported immediately.
All Staff, Contractors
Report Suspected Credential Compromise
Report immediately if a password, token or MFA device may have been exposed.
Password Security, Incident Reporting
As Required
Set a no-blame reporting route and require urgent password reset and IT notification.
Lock Devices When Unattended
Lock computers, phones and tablets whenever they are left unattended.
Device Use, Physical Security
Daily
Require manual locking and automatic screen lock after a short inactivity period.
Use Approved Devices Only
Access company systems only from authorised, managed or expressly approved devices.
Device Use, Remote Working
Daily
Define whether personal devices are prohibited or allowed only under BYOD controls.
All Staff, IT Staff, Contractors
Install Security Updates Promptly
Allow approved updates and restarts so devices remain protected against known vulnerabilities.
Device Use
As Required
Require users not to disable updates and to restart devices when prompted by IT.
Do Not Disable Security Tools
Do not disable antivirus, endpoint protection, firewall, monitoring or device management tools.
Device Use
Daily
Make disabling security controls a disciplinary matter unless authorised for support purposes.
All Staff, Contractors
Avoid Unauthorised Software
Install or use only software, apps, extensions and AI tools approved for business use.
Device Use, Data Handling
As Required
Require prior approval for new tools, browser extensions and cloud services handling work data.
All Staff, IT Staff, Contractors
Control Removable Media
Use USB drives, external disks and memory cards only where approved and encrypted.
Device Use, Data Handling
As Required
Ban unapproved removable media and require encryption for any authorised portable storage.
All Staff, Contractors
Report Lost Or Stolen Devices
Report lost or stolen laptops, phones, access cards or storage media immediately.
Device Use, Incident Reporting, Physical Security
As Required
Require immediate reporting to IT and the line manager, including out-of-hours contact details.
Check For Phishing Indicators
Check unexpected emails, links, attachments and requests before acting.
Email and Messaging
Daily
Tell users to pause, verify the sender and report suspicious messages without clicking links.
Report Suspicious Messages
Report suspicious emails, texts, calls, QR codes or collaboration messages using the approved route.
Email and Messaging, Incident Reporting
As Required
Provide a report button or mailbox and allow staff to forward scams to report@phishing.gov.uk where appropriate.
Handle Attachments Safely
Open attachments only when expected, business-related and from a trusted source.
Email and Messaging, Device Use
Daily
Require users to verify unexpected attachments and never enable macros unless expressly approved.
All Staff, HR Staff, Finance Staff
Verify Sensitive Email Recipients
Check recipients, attachments and addresses before sending personal, confidential or financial information.
Email and Messaging, Data Handling
Daily
Require double-checking for external recipients and extra checks for bulk or special category data.
Finance Staff, Managers, Senior Leadership
Verify Payment Change Requests
Confirm bank detail or payment instruction changes through a trusted independent channel.
Email and Messaging, Data Handling
As Required
Require call-back verification using known contact details, not details in the request message.
All Staff, Contractors
Use Approved Messaging Channels
Discuss work matters and share files only through approved email and messaging platforms.
Email and Messaging, Data Handling
Daily
List approved channels and restrict use of personal messaging apps for business information.
All Staff, Managers, Contractors
Classify Information Correctly
Apply the correct information classification before storing, sharing or disposing of data.
Data Handling
Daily
Define classification levels and link each level to handling, storage and sharing controls.
All Staff, HR Staff, Managers, Contractors
Handle Personal Data Lawfully
Use personal data only for authorised business purposes and in line with privacy notices.
Data Handling
Daily
Refer to UK GDPR principles of lawfulness, fairness, transparency, purpose limitation and security.
All Staff, HR Staff, Finance Staff, Managers
Minimise Personal Data Use
Collect, access and share only the personal data needed for the task.
Data Handling
Daily
Require staff to avoid unnecessary copies, downloads, exports and excessive recipient lists.
HR Staff, Managers, All Staff
Protect Special Category Data
Apply extra care to health, biometric, racial, trade union, sexual orientation and similar sensitive data.
Data Handling
As Required
Require restricted access, approved storage and DPO or privacy lead consultation where uncertain.
All Staff, Contractors, HR Staff, Finance Staff
Share Confidential Information Securely
Use approved secure transfer methods for confidential, personal, commercial or regulated data.
Data Handling, Email and Messaging
As Required
Specify approved encryption, portals, access links and expiry controls for secure sharing.
All Staff, Contractors, Managers
Access Data On A Need-To-Know Basis
Access systems and files only when needed for authorised work duties.
Data Handling, Password Security
Daily
Prohibit browsing colleague, customer or payroll records without a business reason.
All Staff, HR Staff, Finance Staff, Managers
Keep Personal Data Accurate
Update or flag inaccurate personal data discovered during work activities.
Data Handling
As Required
Require staff to correct records or notify the data owner when inaccuracies are identified.
Follow Retention And Disposal Rules
Keep records only as long as required and dispose of them securely when due.
Data Handling, Physical Security
Periodic Review
Link to the retention schedule and require secure deletion or confidential shredding.
All Staff, Contractors
Maintain A Clear Desk
Keep papers, notebooks, access cards and portable media secure when not in use.
Physical Security, Data Handling
Daily
Require confidential material to be locked away when desks are unattended or offices close.
All Staff, HR Staff, Finance Staff
Use Secure Printing
Collect printed material promptly and use secure print release for confidential documents.
Data Handling, Physical Security
As Required
Require staff not to leave printouts, scans or copies unattended on shared devices.
All Staff, Contractors, Senior Leadership
Protect Work Information When Remote
Work where screens and calls cannot be easily seen or overheard by unauthorised people.
Remote Working, Physical Security, Data Handling
Daily
Require privacy screens or discretion in public places and secure storage at home.
All Staff, Contractors, IT Staff
Use Secure Network Connections
Use approved VPN, secure Wi-Fi and company guidance when accessing systems remotely.
Remote Working, Device Use
Daily
Specify VPN requirements and prohibit insecure public Wi-Fi unless protected by approved controls.
All Staff, Contractors
Secure Home Wi-Fi For Work
Use strong Wi-Fi passwords and follow company guidance for home network security.
Remote Working, Password Security
Periodic Review
Advise changing default router passwords and keeping home router firmware updated where possible.
All Staff, Senior Leadership, Contractors
Avoid Sensitive Work In Public Places
Do not handle highly confidential or sensitive data where it may be observed or overheard.
Remote Working, Physical Security, Data Handling
As Required
Restrict sensitive calls, board papers, payroll data and client files in cafés, trains and shared spaces.
All Staff, Contractors, Managers
Report Security Incidents Immediately
Report suspected cyber incidents, data breaches, malware, fraud or unauthorised access without delay.
Incident Reporting
As Required
Define examples, contacts, out-of-hours escalation and a requirement not to investigate alone.
All Staff, Managers, HR Staff, IT Staff
Escalate Personal Data Breaches
Escalate any accidental or unlawful loss, disclosure, alteration or access to personal data immediately.
Incident Reporting, Data Handling
As Required
Refer to the ICO 72-hour notification window and require immediate internal escalation.
All Staff, IT Staff, Managers
Preserve Incident Evidence
Do not delete suspicious emails, logs, files or devices unless instructed by IT or incident leads.
Incident Reporting, Device Use
As Required
Tell staff to disconnect only if instructed and to preserve messages, screenshots and timestamps.
Managers
Escalate Team Security Concerns
Managers must escalate team-reported security concerns and ensure staff know reporting routes.
Incident Reporting
As Required
Make managers responsible for prompt escalation, not for filtering out uncertain reports.
All Staff, Contractors
Wear And Protect Access Badges
Use assigned access badges properly and report lost, stolen or borrowed badges immediately.
Physical Security, Incident Reporting
Daily
Prohibit badge sharing and require lost passes to be disabled without delay.
All Staff, Contractors, Managers
Challenge Or Report Unauthorised Visitors
Follow visitor procedures and report tailgating or unknown people in restricted areas.
Physical Security, Incident Reporting
Daily
Require visitors to be signed in, escorted where needed and visibly identified.
All Staff, Contractors
Complete Security Induction
Complete required cybersecurity and data protection induction before accessing key systems.
Password Security, Email and Messaging, Data Handling, Incident Reporting
On Joining
Require completion of induction and acceptance of the Information Security Policy on joining.
All Staff, Contractors, Managers
Complete Security Refresher Training
Complete periodic training on phishing, data handling, passwords and incident reporting.
Password Security, Email and Messaging, Data Handling, Incident Reporting
Periodic Review
Set training frequency and require completion records for employees and relevant contractors.
Managers, HR Staff, IT Staff
Review Access When Roles Change
Ensure system access is changed, reduced or removed when job duties change.
Password Security, Data Handling
As Required
Require HR and managers to notify IT of movers before or on the effective date.
Managers, HR Staff, IT Staff, Contractors
Remove Access For Leavers
Disable accounts, recover assets and remove access when employment or engagement ends.
Password Security, Device Use, Data Handling, Physical Security
When Leaving
Specify same-day account disabling, asset return, pass return and mailbox or data handover steps.
All Staff, Contractors
Return Company Assets
Return laptops, phones, tokens, access cards, documents and storage media when requested or leaving.
Device Use, Physical Security, Data Handling
When Leaving
Require all information assets to be returned before final day or contract end where possible.
IT Staff
Use Privileged Access Carefully
Use administrator rights only when needed and only through approved privileged accounts.
Password Security, Device Use, Data Handling
Daily
Require separate admin accounts, MFA, logging and no routine use of admin rights for email or browsing.
Maintain Patch Management
Identify, test and deploy security patches for systems, applications and devices in a timely way.
Device Use
Periodic Review
Set patching priorities for critical vulnerabilities and define exceptions and risk acceptance.
IT Staff, Managers, Senior Leadership
Maintain Secure Backups
Ensure important business data is backed up securely and restoration is tested.
Data Handling, Incident Reporting
Periodic Review
Require defined backup scope, frequency, encryption, access control and restore testing.
IT Staff
Monitor Security Logs
Monitor relevant logs and alerts for unusual access, malware, data loss or policy breaches.
Incident Reporting, Device Use, Data Handling
Daily
State monitoring must be proportionate, authorised and aligned with employee privacy notices.
Apply Secure Configuration
Configure systems to remove unnecessary services, default passwords and insecure settings.
Device Use, Password Security
Periodic Review
Require baselines for laptops, servers, cloud services, network devices and SaaS platforms.
All Staff, Contractors, Managers
Store Work Data In Approved Locations
Store work files only in approved systems, drives, repositories and cloud services.
Data Handling, Remote Working
Daily
Prohibit saving work data to personal cloud accounts, personal email or unmanaged devices.
Do Not Enter Sensitive Data Into Unapproved AI Tools
Do not submit personal, confidential or client data to AI tools unless approved for that use.
Data Handling, Email and Messaging
As Required
Name approved AI services and require privacy, security and confidentiality checks before use.
All Staff, Contractors, Senior Leadership
Keep Confidentiality After Leaving
Continue to protect company, client, employee and supplier information after employment or contract ends.
Data Handling
When Leaving
Cross-refer to employment contracts, NDAs and post-termination confidentiality obligations.
Senior Leadership
Set Security Risk Appetite
Define acceptable cyber risk, approve priorities and ensure security receives suitable resources.
Incident Reporting, Data Handling, Device Use
Periodic Review
State that senior leadership owns cyber risk governance and reviews major risks and incidents.
Senior Leadership, Managers, IT Staff
Support Major Incident Response
Participate in major cyber incident decisions, communications and recovery priorities when required.
Incident Reporting
As Required
Define decision rights for shutdowns, customer notices, regulator contact and external advisers.
Managers, IT Staff, Contractors
Control Contractor Access
Grant contractors only the access needed and remove it when the engagement ends.
Password Security, Data Handling, Remote Working
As Required
Require sponsor ownership, time-limited accounts and contract terms covering security duties.
HR Staff, Managers
Notify IT Of Starters, Movers And Leavers
Provide timely, accurate HR notifications so access can be created, changed or removed.
Password Security, Device Use, Physical Security
On Joining, As Required, When Leaving
Set notice periods and mandatory fields for access requests and leaver notifications.
Finance Staff, HR Staff
Protect Payroll And Bank Data
Restrict, verify and securely transmit payroll, salary, pension and bank account information.
Data Handling, Email and Messaging
Daily
Require restricted access, secure transfer, recipient checks and independent verification of bank changes.
All Staff, Contractors, Senior Leadership
Do Not Use Personal Email For Work Data
Do not send, store or forward work information using personal email accounts.
Email and Messaging, Data Handling, Remote Working
Daily
Ban auto-forwarding to personal accounts and require approved access methods for remote work.
All Staff, Finance Staff, HR Staff, IT Staff
Verify Unusual Phone Requests
Verify callers requesting information, access, password resets, payments or urgent actions.
Email and Messaging, Incident Reporting, Data Handling
As Required
Require call-back using known contact details and prohibit disclosing credentials or MFA codes.
All Staff, Contractors
Never Share MFA Codes
Do not share one-time codes, authenticator approvals or recovery codes with anyone.
Password Security, Incident Reporting
Daily
State that IT will never ask for MFA codes and unexpected prompts must be reported.
All Staff, IT Staff, Contractors
Keep Portable Devices Encrypted
Use only encrypted laptops, phones and storage media for company or personal data.
Device Use, Data Handling
Daily
Require IT-managed encryption and prohibit storing sensitive data on unencrypted media.
All Staff, Managers, IT Staff, HR Staff, Finance Staff
Maintain Appropriate Security For Personal Data
Apply appropriate technical and organisational measures when handling personal data.
Data Handling, Device Use, Password Security, Incident Reporting
Daily
Use this as the overarching personal data security duty linked to UK GDPR Article 32.
All Staff, Contractors, IT Staff
Do Not Access Systems Without Authorisation
Do not attempt to access systems, accounts or data without proper authority.
Password Security, Device Use, Data Handling
Daily
Warn that unauthorised access may breach policy and the Computer Misuse Act 1990.
All Staff, Contractors, Senior Leadership
Acknowledge Security Policies
Read, understand and confirm acceptance of the organisation's cybersecurity rules.
Password Security, Device Use, Email and Messaging, Data Handling, Remote Working, Incident Reporting, Physical Security
On Joining, Periodic Review
Require signed or electronic acknowledgement on joining and whenever material changes are issued.

What Employee Cybersecurity Responsibilities Should A UK Information Security Policy Cover?

A UK-focused Information Security Policy should turn legal and regulatory expectations into specific employee behaviours: secure passwords and MFA, careful email use, lawful data handling, prompt incident reporting, safe remote working, and secure leaver processes. The responsibilities below are drafted so they can be allocated to clear workforce groups rather than left as broad IT obligations.

Why Is Incident Reporting Especially Important In The UK?

Employees should be required to report suspected phishing, lost devices, unauthorised access, misdirected emails and personal data incidents immediately. This supports the UK GDPR obligation to assess and, where necessary, notify the ICO within 72 hours of becoming aware of a personal data breach. Internal reporting routes should therefore be simple, well publicised and available to contractors as well as staff.

Which Responsibilities Need Role-Specific Wording?

  • Managers should enforce access control, remote working rules, onboarding and leaver duties within their teams.
  • IT Staff should have explicit duties for privileged access, patching, backups, monitoring and secure configuration.
  • HR Staff should protect recruitment, employee and absence data, and should trigger timely access changes when roles change or employment ends.
  • Finance Staff should verify payment changes, treat invoice fraud as a security risk and protect payroll and banking information.
  • Senior Leadership should approve risk appetite, resource security controls and lead by example on training and incident response.

How Should These Duties Be Used In A Cybersecurity Policy?

Use concise mandatory wording such as must, must not and is responsible for. Link each duty to a named owner, a reporting route and a frequency. Where personal data is involved, align the policy with ICO guidance on security, breach reporting and accountability under the UK GDPR and Data Protection Act 2018.

Employee Cybersecurity Responsibilities Register
Want to Generate Your own Information Security Policy?
Docaro AI can help you write your own Information Security Policy for use in the United Kingdom in minutes.
Generate Your Document Now

FAQs

An Employee Cybersecurity Responsibilities Register records the specific information security duties assigned to employees, roles, or teams within a UK organisation.
Show All FAQs

You Might Also Be Interested In

Cybersecurity Policy Clause Library
Explore United Kingdom cybersecurity policy clauses to build clear, compliant information security policies faster.
UK Cybersecurity Policy Requirements Map
UK cybersecurity policy requirements map for compliance, governance, and risk planning across key security obligations.
United Kingdom Access Control and Authentication Policy Decision Tree
United Kingdom access control decision tree for authentication, permissions, and secure policy choices.
United Kingdom Cybersecurity Incident Response Policy Decision Tree
United Kingdom cybersecurity incident response decision tree for consistent, policy-aligned action during security events.

References and Information Sources