Ask an expert: how often should our IT policies be reviewed and updated?


Your IT policies are not like rotisserie ovens; you can’t just ‘set and forget’ them. But how often should you review and update them? Here’s our recommendation.

Ring in the bells and review your IT policies

In general, we recommend reviewing all your IT policies at least annually. It can be your new ‘New Years’ tradition.

Now, for example, is a good time to review your policies around data management and IT security. Why? Because the General Data Protection Regulation (GDPR) comes into full effect in May. Your business must comply with GDPR requirements by 25th May 2018, or face penalties. One requirement is to inform customers of a data breach within 72 hours of its discover – do your policies reflect this? If not, it’s time for an update.

Click here to take our 10 minute quiz and assess your GDPR readiness. We’ll send you personalised tips, based on your answers, to help you get compliant.

If you don’t adapt to the changing IT security landscape, you can quickly find your policies are inadequate. Reviewing and updating each year will help ensure you’re aligned with current best practices and compliance standards.

New Call-to-action

Other times you should review your policies

As stated, we recommend reviewing your IT policies at least annually. But that doesn’t mean that there aren’t other circumstances which may warrant a review.

Here are a few situations which may require you to review, and potentially update, your IT policies:

  • Opening an overseas office. Different countries have different regulations and standards, particularly around things like data security. You must make sure all offices comply with the laws and regulations of their region.
  • Implementing BYOD. If you allow your employees to use their own smartphones or tablets for work, you must update your IT security policy and spell out the measures you’re taking to protect business data.
  • Hiring remote workers. Remote working is great, but it often makes heavy use of cloud-based services. Your IT policies must acknowledge and address this.
  • Sudden business growth. When your business experiences rapid growth, employee numbers usually rise. And so does the risk of a human error and employee mistake, like clicking a malicious link in an email. Update your policies and make sure everyone reads them.
  • New laws and regulations. When the law changes, like with the GDPR this year, you must adapt.
  • Employee misunderstanding. If you notice that your employees are not following your policies, you need to find out why. It can be as simple as the way it’s written; it could be confusing or hard to understand. Make your policies are written clearly and in plain language, so that they make sense to everyone – not just people who are highly tech literate.

Whenever your business (or business needs) change, you need to ensure your IT policies keep up with them. This can be difficult, so it helps to ask yourself the following questions while reviewing:

  • Does the policy accurately reflect the way the company currently conducts business?
  • Does the policy adequately deal with the issues it’s intended to address?
  • Do any new policies need to be created to address new business requirements?
  • Do any policies need to be removed as the business requirements are no longer applicable?

New year, new policies

We’re not saying you need to revolutionise your IT policies every single year, or with every little change to the business that may happen along the way. Rather, we encourage you to take a breath, take stock, and ensure that everything is fully up to date. Because if it’s not, your business isn’t just left behind. It’s at risk.

New Call-to-action

5 ways setting up an office in the UK is different to in the USA
6 places to get definitive answers to your lingering GDPR questions