How long should a security policy be?

Individual policies should be 1-2 pages maximum. If longer, split into multiple policies. Your complete policy set might be 20-30 pages total, but no single document should require extensive reading.

Do I need a lawyer to write security policies?

Not for most SME policies. Use templates, customize for your situation, and have policies reviewed during your annual legal check-up. Only complex situations (international operations, highly regulated industries) typically need dedicated legal review.

How often should policies be reviewed?

Annually at minimum, plus after any significant change (new systems, new way of working, security incident, regulatory change). Set calendar reminders so reviews don't slip.

What if employees don't follow the policies?

First, ensure policies are reasonable and well-communicated. If employees consistently can't follow a policy, the policy may need adjustment. For willful violations, follow your documented consequences consistently.

Should policies be translated for non-Dutch speakers?

Yes, employees must understand policies to follow them. For multilingual workplaces in Belgium, provide policies in the languages your employees work in (Dutch, French, English as needed).

How to Create a Security Policy for Your SME

Why You Need a Security Policy

A security policy isn't just bureaucracy. It's essential because:

NIS2 requirement

You need documented policies for compliance

Clear expectations

Employees know what's expected of them

Incident response

Everyone knows what to do when something goes wrong

Legal protection

Documented policies protect you in disputes

Insurance claims

Many cyber policies require documented security practices

Customer trust

Clients increasingly ask about your security practices

The 5 Core Policies Every SME Needs

Start with these five policies. You can add more later, but these cover 90% of daily security decisions:

1. Acceptable Use Policy

Defines what employees can and cannot do with company IT resources

What's allowed on company devices
Personal use of company resources
Prohibited activities (illegal downloads, crypto mining, etc.)
Social media guidelines
Consequences of violations

2. Password & Authentication Policy

Sets standards for creating and managing passwords

Minimum password requirements
MFA requirements (which systems, which methods)
Password sharing rules (never!)
Password manager recommendations
Handling of shared accounts

3. Data Handling Policy

Explains how to handle different types of company data

Data classification (public, internal, confidential)
How to store each type of data
How to share data internally and externally
Personal data handling (GDPR)
Data retention and deletion

4. Incident Response Policy

Tells employees what to do when something goes wrong

What counts as a security incident
Who to contact first
What information to provide
What NOT to do (don't shut down, don't investigate alone)
Communication guidelines

5. Remote Work Policy

Sets security rules for working from home or on the road

Approved devices and networks
VPN requirements
Physical security (screen locks, no shoulder surfing)
Video call security
Handling sensitive data remotely

How to Write Effective Policies

Good policies are read, understood, and followed. Here's how to write them:

Keep it short

If a policy is more than 2 pages, split it. Nobody reads long documents.

Use plain language

Write for regular employees, not IT professionals. Avoid jargon.

Be specific

"Use strong passwords" is vague. "Use at least 12 characters" is clear.

Explain the why

People follow rules they understand. Explain the reason behind each requirement.

Include examples

Show what good behavior looks like. Examples are memorable.

State consequences

Be clear about what happens when policies are violated.

Policy Template Structure

Use this structure for each policy:

1
Purpose Why does this policy exist? (1-2 sentences)
2
Scope Who does this apply to? Which systems? (1-2 sentences)
3
Policy The actual rules (bullet points work best)
4
Responsibilities Who is responsible for what?
5
Exceptions How to request an exception (always have a process)
6
Review When will this policy be reviewed? (typically annually)
7
Contact Who to contact with questions?

Implementing Your Policies

Creating policies is only half the battle. Implementation is what matters:

Get management buy-in

Leadership must visibly support and follow the policies

Communicate clearly

Announce policies in team meetings, not just email

Train employees

Short sessions (15-30 min) are more effective than long training

Make policies accessible

One click to find any policy. Intranet or shared drive works.

Test understanding

Quick quizzes help reinforce key points

Enforce consistently

Policies that aren't enforced are worse than no policies

Common Mistakes to Avoid

Copying policies from the internet without adapting

Fix: Customize templates to match your actual practices and culture

Writing policies nobody can follow

Fix: Test policies with real employees before rolling out

Forgetting to update after changes

Fix: Set calendar reminders for annual review and after major changes

No exception process

Fix: People will work around inflexible rules. Have a formal exception process.

Too technical language

Fix: Have a non-IT person review for clarity

CyberFundamentals Policy Requirements

CyberFundamentals requires these documented policies:

Information security policy (your overall security policy)
Acceptable use policy
Access control policy
Data classification policy
Incident response procedures
Business continuity plan
Supplier security requirements

Get Policy Templates That Work

Easy Cyber Protection includes ready-to-use policy templates customized for Belgian SMEs. Each template maps to CyberFundamentals requirements and uses plain language employees actually understand.