If you’re running a business in Australia, the SMB1001 certification is a practical step towards strengthening your cybersecurity posture. It’s not just about technology; it’s about your people, policies, processes, and your tech all working together to keep your information safe.
Over the upcoming months, we’ll be sharing several blogs that will break down in plain English what the SMB1001 certification involves and explain how each part helps protect your business. Today, we begin by defining your organisational cybersecurity policy.
What is a Cybersecurity Policy and Why Does it Matter?
Think of a cybersecurity policy as your company’s rulebook for staying safe online. It should clearly state your company’s position on cybersecurity, the rules everyone must follow, and who is responsible for what. You can approach this in one of two ways:
1. A Standalone Comprehensive Policy
This type of policy covers everything in one document. According to guidance from the National Institute of Standards and Technology (NIST) and the Australian Cyber Security Centre (ACSC), it should include:
- Roles and Responsibilities | Define who is in charge of cybersecurity, who manages access, and who handles incident response.
- Acceptable Use | Outline what’s appropriate when using company devices, internet, email, and systems.
- Access Control | Specify who has access to what data, and how that access is granted, reviewed, and revoked.
- Password and Authentication Requirements | Describe how passwords should be created, stored, and updated, and strongly encourage the use of multi-factor authentication.
- Incident Reporting | Provide a clear process for how employees should report suspicious emails, lost devices, or data breaches.
- Training and Awareness | Ensure staff are kept informed about current threats like phishing and social engineering.
2. A High-Level Policy with Supporting Documents
If your business already has specific policies for passwords, access control, acceptable use, and incident response, your organisational cybersecurity policy can simply reference these. In this case, the document should still outline your company’s overall stance on cybersecurity, define leadership commitment, and explain how your team is expected to follow related policies.
The key is clarity. Whether you opt for an all-in-one policy or a master policy that links out to detailed ones, it should be understandable, easy to share, and tailored to how your business actually works.
This policy doesn’t have to be long or complex. Even a one-page document that’s easy to understand is a great starting point. The most important thing is that it reflects your business’s needs and is shared with your staff.
Having a clear cybersecurity policy is the first building block in becoming SMB1001 certified, and more importantly, in bringing cybersecurity into the mindset of your organisation, so that it becomes part of everyday business, not just a once-off project.
Need Help Mapping Out Your Cybersecurity Policy?
If you’re unsure where to begin or just want a friendly chat about what a good policy might look like for your business, we’re here to help. Complete the enquiry form on our contact page or reach out directly on 1300 662 779.
