The short version: Most businesses with 20 to 75 staff either have security policies nobody reads, or no real policies at all. The most effective approach is to separate your policy framework into two layers - a robust internal foundation, and simple, practical guidance for your team. This piece explains how that works and how to get there.
Why Most Business Policies Don't Work
Most businesses with 20 to 75 staff fall into one of two traps.
Either they have a single dense document that covers everything - written for compliance, filed away, and never opened again. Or they have lightweight staff guidance that reads well but leaves the business genuinely exposed underneath.
Neither works. And for CFOs, COOs, and business leaders trying to mature their operations without creating a bureaucratic headache, there's a better way.
The Two-Layer Model
The most practical and sustainable approach is to structure your information security policies in two distinct layers - each with a clear purpose.
Layer 1 - Your Internal Policy Framework
This is the foundation of your security posture. It's comprehensive, structured, and aligned to recognised standards including Cyber Essentials. It covers access control and identity management, device and endpoint security, patch management, backup and recovery, incident response, acceptable use, and data protection.
This layer is not designed for daily reading. It exists to ensure the business is properly protected, risks are documented and managed, and compliance requirements are met. In most environments this takes the form of a core controls document - sometimes called a Cyber Essentials controls policy - that brings together your key technical and administrative safeguards.
This is the layer that actually protects the business.
Layer 2 - Staff-Facing Guidance
This is what your team interacts with day to day. It's short, readable, and focused on behaviour rather than technical detail - covering things like password practices, data handling, phishing awareness, incident reporting, and working from home.
The goal isn't to replicate the full policy set. It's to communicate expectations clearly, encourage good habits, and support a culture of awareness. This is where simplicity matters most.
Why Separate the Two?
When businesses try to combine everything into a single document, the result is almost always a compromise - either too complex for staff to engage with, or too thin to genuinely protect the business.
Separating the layers solves this. Layer 1 ensures completeness. Layer 2 ensures usability. Together, they provide both coverage and clarity.
How to Implement This in Practice
If you're reviewing your current policies, a straightforward approach is:
As your policy set develops, you'll also want to consider a Bring Your Own Device (BYOD) policy for contractors or staff using personal devices, and a Home Working policy covering remote access and home network security. These don't need to be heavy-handed - but they set clear expectations and create a record of acknowledgement.
The Role of a Cyber Essentials Audit
For many businesses, a Cyber Essentials audit or review is the natural moment to get this right. There's genuine buy-in at that point - leadership is engaged, the conversation is already happening, and the motivation is there. It's often the most productive time to build or refresh the full policy framework alongside the technical controls.
How Ratcliff IT Approaches This
This is something we work on regularly with clients - typically at CFO, COO, or senior leadership level. Maturing an organisation's information security posture doesn't need to be overwhelming. We take a practical, measured approach: helping businesses create and adapt policies, explaining what they mean in plain language, and building this into the wider governance picture over time.
For our managed service clients, this kind of advisory support is part of standard business planning - reviewing policies, flagging gaps, and helping leadership stay on top of what's in place and why.
If you'd like to understand where your current policies sit and what a sensible next step looks like, we're happy to talk.
Final Thoughts
Information security policies don't need to be complicated to be effective. A robust internal framework, paired with clear and practical guidance for staff, is the most sustainable model for businesses at this stage of growth.
If your team-facing policies are clear and useful, that's a strong starting point. The key question is whether there's a complete layer behind them that fully protects the business - and in many cases, that's exactly where the gap is.