Free IT security policy templates for UK businesses. Includes Acceptable Use Policy, Password Policy and supporting guidelines. Aligned to Cyber Essentials.
A pack of core IT policies: an Acceptable Use Policy and a Password and Authentication Policy, with an optional short Access Control Policy. They are drafted from your answers and ready for you to adapt, get signed off and adopt.
No. These are templates to adapt, not legal advice and not a certification. They reflect current NCSC guidance and Cyber Essentials user access control requirements, but you should review them against your own circumstances and take professional or legal advice where appropriate.
The password and authentication wording follows NCSC password guidance, for example three random words, no forced complexity, no routine expiry, multi-factor authentication, and password managers, and the user access control requirements of Cyber Essentials. Sources are named in the methodology note below.
Not on their own. Cyber Essentials certification requires you to implement and verify the controls across your IT, then be assessed by a certification body. This tool reflects Cyber Essentials v3.3 (in force April 2026) for password and MFA requirements. A written password policy aligned to the requirements is a sensible part of that, but it is one piece, not the certificate. Confirm the current IASME/NCSC requirements document before you rely on this for certification.
Because the NCSC advises against routine password expiry. When people are forced to change passwords regularly, they tend to make small, predictable changes that are easier, not harder, for attackers to guess. The stronger approach is unique passwords, a password manager, multi-factor authentication, and changing a password only when compromise is suspected.
Under Cyber Essentials v3.3 (in force April 2026), all user accounts need passwords of at least 12 characters. Multi-factor authentication is now required on cloud services where it is available, and its absence is an automatic certification failure. There is no maximum length. The NCSC also recommends building memorable passwords from three random words. Confirm the current IASME/NCSC requirements document before relying on this for certification.
Yes. Choose Charity or non-profit and the wording covers staff, volunteers and trustees. The underlying guidance is the same for charities, and UK survey data shows that only around a third of charities have a formal cyber security policy in place, so a clear starting template helps.
Yes, and you should. Copy the text into your own document, change anything that does not fit, add your logo, and route it for approval. The output is a first draft tailored to your answers, not a finished, ratified policy.
The policy is generated in your browser and shown on screen for you to copy. We capture the contact details you submit so we can send your pack and relevant guidance, handled in line with our privacy policy. We are an independent advisory and do not sell your data.
Get them reviewed and signed off by your leadership or board, tell your people about them, and check the technical settings actually match, for example that multi-factor authentication is genuinely enabled. If you want help turning written policy into working controls, that is where an independent review adds value.