Most small businesses have zero formal security policies, until a breach happens, a cyber insurance application asks for them, or an enterprise customer demands proof. By then, it's too late to write them from scratch. Here are the 10 policies you need, what each one covers, and why it matters more than you think.
Small businesses typically invest in security tools before they invest in security policy. Antivirus? Yes. Password manager? Maybe. A written, signed password policy that employees actually acknowledge? Almost never.
This is a problem, and not just a theoretical one. When cyber insurance underwriters deny a claim after a breach, it's rarely because the company lacked technology. It's because there was no documented policy, no evidence employees were trained, no written procedure that said "in the event of an incident, do this."
Policies are the paper trail that proves your security program is real. Without them, everything else is just hope.
The underwriter's question: "Do you have a documented incident response plan?", Most small businesses answer yes because they have a vague idea of what they'd do. Underwriters want a written document. These are not the same thing.
This is the most foundational document in any security program. It defines minimum password length, whether rotation is required (NIST says no, and we agree), MFA requirements by account type, and account lockout thresholds. Without this, your password rules exist only in someone's head.
A NIST SP 800-63B-aligned password policy eliminates outdated requirements (mandatory 90-day rotation) that actually make passwords weaker, and replaces them with requirements that work: length over complexity, passphrase support, MFA everywhere.
Available at SecReadyNow → $19
This document tells employees what they can and can't do with company technology. If you don't have one, you have no enforceable standard, which means you have no basis for disciplinary action when someone does something they shouldn't.
A modern AUP in 2026 needs to cover more than "don't visit inappropriate websites." It needs to address AI tool use, BYOD, shadow IT, social media, email forwarding, and remote work expectations, because all of those are real attack vectors in today's environment.
Available at SecReadyNow → $19
When something goes wrong, ransomware, a phishing click, a lost laptop, what happens? Who calls whom? When do you call your cyber insurance carrier? When do you bring in outside help? If your answer is "we'd figure it out," that's not a plan.
An incident response policy defines severity levels, who's on the response team, the six phases of incident handling (preparation through lessons learned), and critically, when and how to notify your cyber insurer. Missing the insurer notification window is one of the most common reasons claims get complicated.
Available at SecReadyNow → $29
Most small businesses give new employees more access than they need, because it's easier. Every extra permission that doesn't get used is an attack surface waiting to be exploited. The principle of least privilege isn't just a compliance buzzword; it's the single most effective control for limiting breach impact.
An access control policy defines how access is requested, approved, provisioned, reviewed annually, and revoked within one business day of termination. That last part matters more than people realize, former employees with active credentials are a recurring data breach cause.
Available at SecReadyNow → $25
If any of your employees work from home, a coffee shop, a hotel, or anywhere outside the office, you need this policy. Home networks are not company networks. Public Wi-Fi is not encrypted. And a lost laptop in a coffee shop that isn't locked is a breach waiting to be discovered.
A remote work policy sets minimum expectations: WPA2/WPA3 home network requirement, mandatory VPN use for internal resources and public Wi-Fi, physical workspace requirements, and screen lock requirements. Small, specific, enforceable rules, not vague "be careful" guidance.
Available at SecReadyNow → $19
Technology doesn't stop phishing, people do. Or they don't. The difference is whether they've been trained. Cyber insurance applications increasingly ask whether you conduct security awareness training. "We send out occasional reminders" is not the same as a documented training program.
This policy defines new hire training timelines, annual refresher requirements, quarterly phishing simulations, and role-specific training for higher-risk roles like Finance and IT. It also gives you the documentation to prove training happened, which matters when you need to file a claim.
Available at SecReadyNow → $19
Most businesses back up their data. Far fewer back it up in a way that survives a ransomware attack. If your backups live on a network share that ransomware can reach, they're not backups, they're an extension of the attack surface.
A backup policy defines RTO and RPO targets by system tier, the 3-2-1 rule (3 copies, 2 different media types, 1 offsite), immutable backup requirements specifically for ransomware protection, and regular restore testing. The last point is what most organizations skip, and what determines whether your backups actually work when you need them.
Available at SecReadyNow → $25
Third-party vendors are the leading cause of supply chain breaches. Your security is only as good as the weakest vendor who has access to your systems or data. If you're giving vendors access to your environment without a security review, a signed agreement, and a defined offboarding process, you're exposed in a way that's hard to quantify and easy to exploit.
A vendor management policy establishes risk tiers, due diligence requirements before onboarding, data processing agreement (DPA) requirements, and a vendor access register with quarterly reviews. It also gives you the framework to handle SaaS and AI tool procurement, two areas most small businesses have completely uncontrolled.
Available at SecReadyNow → $25
Keeping data you don't need is a liability. Deleting data too soon is a compliance violation and potential evidence tampering. Most small businesses have no formal retention policy, which means nobody is making consistent decisions about how long records are kept, or how they're destroyed.
A data retention policy defines how long different categories of data must be kept (tax records, personnel files, customer data, security logs), how to dispose of it securely when the time comes, and what a legal hold is and when to apply one. This is one of the quieter policies, until litigation or a regulatory inquiry makes it very loud.
Available at SecReadyNow → $19
Your employees are already using AI tools. The question isn't whether to govern it, it's whether you'll govern it before or after a data exposure incident. Consumer AI tools trained on user inputs, unreviewed AI-generated content in customer communications, AI vendors with unclear data retention practices, these are live risks in most small businesses right now.
An AI governance policy establishes an AI risk classification framework, defines prohibited uses (deepfakes, pasting credentials, using unapproved tools with company data), requires an AI inventory with assigned owners, and sets data minimization rules for what can be fed into AI systems. It's the executive framework, pair it with an AI Acceptable Use Policy for the employee-facing rules.
Available at SecReadyNow → $29
If you're starting from zero, don't try to write all ten at once. Prioritize by the question: "What would hurt us most if we had nothing written?"
For most small businesses, that order is: Password Policy and AUP first (foundational, fastest to deploy), then Incident Response (before you need it), then Access Control and Remote Work (operational risk), then the rest.
If you're applying for cyber insurance or responding to a customer security questionnaire right now, go to the Cyber Insurance Readiness Pack, it covers the five policies underwriters most commonly require documentation for.
One underappreciated truth: Policies don't have to be perfect to be valuable. A 10-page password policy that exists and that employees have signed is infinitely more defensible than a 50-page policy that lives on someone's hard drive and has never been distributed.
With a professional template, most policies take 30–60 minutes to customize, fill in your company name, review the placeholders, adjust any thresholds that don't fit your environment, and distribute. That's the advantage of starting with something that's already been written correctly.
Writing a policy from a blank document takes hours, requires security domain knowledge to get the details right, and typically produces something that won't survive an auditor's scrutiny. Templates close that gap for a fraction of the cost.
Password Policy, Acceptable Use Policy, Remote Work Policy, Security Awareness Policy, and Access Control Policy, bundled together.
Includes 5 editable .docx templates · Instant download
Get the Starter Pack →Security policies are the least glamorous part of a security program, and the part most small businesses skip. They're also what auditors ask for first, what underwriters require before paying claims, and what gives you legal and operational standing when something goes wrong.
You don't need all ten on day one. But you need a plan to get there, and the sooner you start, the better position you're in when the question stops being hypothetical.
No spam. Just practical guidance on CMMC compliance and new resources when we publish them.