Free UK cyber security policy template. Covers acceptable use, access controls, incident response and remote working. Aligned to Cyber Essentials.
It is a strong, structured starting point built around the NCSC 10 Steps, Cyber Essentials and ISO 27001, but it is not certification and not legal advice. A policy is only effective if it reflects what you actually do, is approved by your board and kept current. Have it reviewed by someone accountable for security before you adopt it.
No. Cyber Essentials is a UK government-backed certification delivered through IASME and assessed against five technical controls. A policy is one input. This template helps you describe your approach and shows where you would need evidence of practice to certify.
They are the National Cyber Security Centre's guidance for organisations: risk management, engagement and training, asset management, architecture and configuration, vulnerability management, identity and access management, data security, logging and monitoring, incident management, and supply chain security. This template is structured around them.
Firewalls, secure configuration, user access control, malware protection and security update management. They are the minimum technical baseline the UK government recommends for organisations of all sizes. The policy references them where you are working towards the scheme.
ISO/IEC 27001 is a full information security management standard you can be certified against. It requires a top-management-approved information security policy (Clause 5.2 and Annex A 5.1), which is what this generates, but it also requires risk assessment, controls and evidence that ISO certification audits. This is the policy artefact, not the whole management system.
Yes, and most do not have one: only around a third of UK businesses (36%) and charities (35%) have a formal cyber security policy (DSIT, 2025). A clear, current policy is the baseline that makes everything else, from training to incident response, possible.
A cyber security policy covers how you protect systems and information. If you process personal data, the UK GDPR Article 32 also requires appropriate security measures. This template cross-references that duty but does not replace a data protection policy. Use our data protection policy template for that.
At least annually, and after any major incident or significant change. The template sets a review date for you. A policy that is not reviewed stops reflecting reality and becomes a liability rather than a control.
UK mid-market organisations, charities and non-profits, and public bodies that need a clear, current cyber security policy without paying for a bespoke one to start with. It is written in plain business language for boards, trustees and leaders, not just specialists.
No. Starkhorn is an independent technology consultancy. We do not provide certification, insurance or security tooling, and we take no commission. We help boards and leaders govern technology and security. This tool is free and exists to give you a credible starting artefact and show where a proper review would pay back.