Guide

IT risk management

IT risk management policy

IT policies and procedures explain why it is important to manage IT risks in business. You can have them as part of your risk management plans or business continuity strategy.

You should make them available to your staff and suppliers to help them understand:

  • the risks to your IT systems and data
  • procedures that are in place to mitigate them
  • processes for handling common tasks
  • managing changes to IT systems
  • ways to respond to IT or data security incidents
  • acceptable behaviours in relation to key IT issues, such as data protection and safe email use

You should develop a clear policy that takes account of common risks to your data. If you have yet to establish what the risks to your business are, see IT risk assessment.

What should an IT risk management policy contain?

It should, at the very least, specify security procedures and standards that will apply in your business, as well as any staff policies you wish to enforce.

IT security procedures
Technical controls, such as systems that limit access to sensitive data or installation of software, are an important part of most IT security systems. You will need policies and procedures to ensure that these controls are effective. See more on common cyber security measures and read about cyber security for business.

IT security standards
Standards are important when developing a secure IT environment. For example, agreed standards for the procurement of PCs, servers and firewalls will help to provide consistency. Find out more about ISO 27001 IT security management standard.

IT staff policies
You will also need policies to manage activities that could pose security threats. Consider putting in place an internet usage policy and an email usage policy to protect your systems. You can find examples of these documents in sample IT policies, disclaimers and notices.