Insight: Information Security Policies for Growing Businesses: A Practical Two-Layer Framework

Q: Do I need a separate Cyber Essentials policy?

Cyber Essentials doesn't require a separately-named Cyber Essentials policy, but it does require evidence that you have controls in place across five technical areas: firewalls, secure configuration, user access control, malware protection, and patch management. A single core controls document covering these five areas is the cleanest way to satisfy the assessor and keep the policy set manageable.

The short version

Most growing businesses with 20 to 75 staff either have an information security policy nobody reads, or no real policy at all. The most effective approach is to separate your policy framework into two layers — a robust internal foundation, and simple, practical guidance for your team. This article explains how the two-layer model works, why it satisfies Cyber Essentials requirements, and how to put it in place without creating a bureaucratic headache.

Why most business policies don't work

Most businesses with 20 to 75 staff fall into one of two traps.

Either they have a single dense document that covers everything — written for compliance, filed away, and never opened again. Or they have lightweight staff guidance that reads well but leaves the business genuinely exposed underneath.

Neither works. In our experience supporting London SMBs through Cyber Essentials and ongoing managed IT, for CFOs, COOs, and business leaders trying to mature their operations without creating a bureaucratic headache, there's a better way.

The two-layer information security policy model

The most practical and sustainable approach for SMBs is to structure your information security policies in two distinct layers — each with a clear purpose.

Layer 1 — Your internal policy framework

This is the foundation of your security posture. It's comprehensive, structured, and aligned to recognised standards including Cyber Essentials. It covers access control and identity management, device and endpoint security, patch management, backup and recovery, incident response, acceptable use, and data protection.

This layer is not designed for daily reading. It exists to ensure the business is properly protected, risks are documented and managed, and compliance requirements are met. In most environments this takes the form of a core controls document — sometimes called a Cyber Essentials controls policy — that brings together your key technical and administrative safeguards.

This is the layer that actually protects the business.

Layer 2 — Staff-facing guidance

This is what your team interacts with day to day. It's short, readable, and focused on behaviour rather than technical detail — covering things like password practices, data handling, phishing awareness, incident reporting, and working from home.

The goal isn't to replicate the full policy set. It's to communicate expectations clearly, encourage good habits, and support a culture of awareness. This is where simplicity matters most.

Why separate the two?

When businesses try to combine everything into a single document, the result is almost always a compromise — either too complex for staff to engage with, or too thin to genuinely protect the business.

Separating the layers solves this. Layer 1 ensures completeness. Layer 2 ensures usability. Together, they provide both coverage and clarity.

From our work — a recent example

A 45-person professional services firm in central London came to us six weeks before a Cyber Essentials renewal with a 38-page "security policy" nobody on the team had read. We replaced it with a two-layer model: a Cyber Essentials controls document for the leadership and audit file, and a six-page staff handbook covering passwords, phishing, data handling, and home working.

Outcome: certification renewed first time, leadership had a single defensible document for client due-diligence questionnaires, and the staff handbook acknowledgement rate hit 100% within two weeks. Total advisory time: under 12 hours over four weeks.

How to implement the two-layer model in practice

If you're reviewing your current policies, the practical sequence is straightforward:

Start with your staff guidance. Keep it short, clear, and relevant. Add a brief note explaining it sits alongside more detailed internal policies.
Introduce a formal policy framework. This can live in your document repository — it doesn't need to be circulated to all staff, but it needs to exist and be current.
Ensure the two are aligned. Staff guidance should reflect the intent of your formal policies, without attempting to replicate them.

As your policy set develops, you'll also want to consider a Bring Your Own Device (BYOD) policy for contractors or staff using personal devices, and a Home Working policy covering remote access and home network security. These don't need to be heavy-handed — but they set clear expectations and create a record of acknowledgement.

The role of a Cyber Essentials audit

For many businesses, a Cyber Essentials audit or review is the natural moment to get this right. There's genuine buy-in at that point — leadership is engaged, the conversation is already happening, and the motivation is there. It's often the most productive time to build or refresh the full policy framework alongside the technical controls.

How Ratcliff IT approaches this

This is something we work on regularly with clients — typically at CFO, COO, or senior leadership level. A typical engagement looks like this: a two-hour policy review with your leadership team, a draft framework delivered within five working days, one round of revision based on your feedback, and a final pack ready for your audit file or Cyber Essentials assessor. We use plain language throughout, align everything to the standards your business is working toward, and write the staff-facing layer so your team will actually read it.

For our managed service clients, this kind of advisory support is part of standard business planning — reviewing policies, flagging gaps, and helping leadership stay on top of what's in place and why, with policy reviews scheduled annually and after any material business change (new office, headcount step-change, regulatory shift).

Frequently asked questions

Do I need a separate Cyber Essentials policy?

Cyber Essentials doesn't require a separately-named "Cyber Essentials policy", but it does require evidence that you have controls in place across five technical areas: firewalls, secure configuration, user access control, malware protection, and patch management. A single core controls document covering these five areas is the cleanest way to satisfy the assessor and keep the policy set manageable.

How often should we review our information security policies?

Annually as a baseline, plus a review trigger after any material change — a new office, a step-change in headcount, a new regulatory obligation, or a significant incident. For SMBs the annual review is best timed to align with Cyber Essentials renewal so the work is done once.

Does a 30-person business really need a BYOD policy?

If anyone in the business uses a personal device to access company email, files, or systems — including the leadership team — yes. The policy doesn't need to be heavy. It needs to set clear expectations on what can and cannot be done on personal devices, what happens if a device is lost, and what the business is allowed to do to protect its data. Two pages is usually enough.

Who should own information security policy in an SMB?

In businesses of 20 to 75 staff, ownership typically sits with the COO, the CFO, or the senior leadership team collectively, with input from your IT provider. Trying to assign it to a part-time IT lead alone tends to produce documents that read as technical specifications rather than business policy. The strongest model is leadership-owned, IT-informed.

What's the minimum viable policy set for a Cyber Essentials submission?

A core controls document covering the five Cyber Essentials technical areas, an acceptable use policy for staff, an incident response procedure (even a one-pager), and — if applicable — a BYOD policy and a home working policy. This is the leanest defensible set. Most businesses we work with end up with this as their Layer 1.

Final thoughts

Information security policies don't need to be complicated to be effective. A robust internal framework, paired with clear and practical guidance for staff, is the most sustainable model for businesses at this stage of growth.

If your team-facing policies are clear and useful, that's a strong starting point. The key question is whether there's a complete layer behind them that fully protects the business — and in many cases, that's exactly where the gap is.

If your policies are due a review — or you're heading into a Cyber Essentials renewal and want to get the policy layer right alongside the technical controls — book a 30-minute call directly with our founder, James Ratcliff. We'll look at what you have, identify the gaps, and tell you whether the next step is a full advisory engagement, a quick fix, or no action at all.

Book a call with James →

James Ratcliff

Managing Director

James Ratcliff is the founder and Managing Director of Ratcliff IT, a London‑based managed service provider he established in 2009. With nearly two decades of hands‑on experience, he leads the company’s strategic direction while remaining closely involved in major projects and client consultancy.

Get in Touch

Your business deserves IT that just works. If you’re dealing with slow systems, security worries, or support that never calls back, we can change that fast.

4.5

140 reviews

Write a review

01 Oct, 2024