An insurer asks for your acceptable use policy. A new client wants to see your incident response plan before signing the contract. Your accountant flags during the year-end audit that there is no documented joiner-mover-leaver process. Each of these moments is the same moment for most UK SMEs: someone outside the business has just asked for an IT policy that nobody inside the business has written. That’s why having an IT policy checklist UK can be essential for organisations to stay prepared.

An IT policy checklist for UK SMEs in 2026 is not a stack of forty-page templates. A short set of current, clearly named policies answers the questions that auditors, insurers and clients now ask. The list has grown since 2024 because Cyber Essentials v3.3, the Cyber Security and Resilience Bill, and rising cyber insurance scrutiny have all pushed new items into the bar.

Below, you’ll find the twelve policies that most UK SMEs are missing in 2026, why auditors, insurers and clients ask for them, and the best order to write them if you’re starting from scratch.

The 12 essential IT policies for UK SMEs in 2026

These are the policies a competent auditor, insurer or procurement team will expect to see in 2026. Each one fits on a single page or two for a 20-to-150-person business.

PolicyWhat it coversMost often asked about by
Acceptable useWhat staff can and cannot do with company devices, accounts and dataAuditors, HR
Password and authenticationLength, rotation, MFA, password managerCyber Essentials assessor
Joiner-mover-leaverAccount creation, role-change permissions, leaver offboardingAuditors, clients
BYODPersonal devices accessing work data, app protection, leaver wipeCyber Essentials, insurers
Remote and hybrid workHome setup, secure Wi-Fi, conditional access expectationsInsurers
Incident responseWho notifies who, in what timeframe, with what evidenceInsurers, regulators
Data protection (GDPR)Lawful basis, retention, subject access, breach reportingICO, clients
Backup and recoveryWhat is backed up, how often tested, who can restoreInsurers, auditors
Patch managementCadence, exceptions, end-of-life systemsCyber Essentials
Third-party and supplierWhat you ask of your suppliers, how often you reviewProcurement, CSRB cascade
AI useWho can use what, on what data, with what guardrailsBoards, regulated clients
Asset managementInventory of devices, software, accounts, with ownersAuditors, leaver process

If the business is missing more than three of these, it will fail a serious procurement questionnaire today and lose deals it could otherwise win.

Why auditors care about policies specifically

Auditors and insurers do not test policies because they enjoy paperwork. They test policies because the existence of a current, named, dated policy is the cleanest evidence that the business has thought about the risk before the incident. A written policy shows that you have a documented process, know when you last reviewed it and take governance seriously, rather than simply saying, “We hadn’t got round to that.”

Insurance loss-adjusters in particular will ask, after an incident, was the policy in place at the time? The answer to that question often decides whether a claim is paid in full, paid in part, or refused.

According to the UK Cyber Security Breaches Survey 2025/26, 43% of UK businesses experienced a cyber breach or attack in the last year. The businesses recovering well from those incidents are not always the ones with the most sophisticated technology. They are the ones who could produce, within an hour, the policy that was supposed to be governing the failed control.

The three policies most often missing in 2026

In practice the same three policies are absent across the SMEs we audit.

AI use policy. Most UK SMEs have rolled out Copilot or another AI tool without writing the policy that says who can use it, on what data, with what guardrails. The policy is short, but its absence is becoming a procurement red flag.

Supplier and third-party policy. The Cyber Security and Resilience Bill is pushing supplier assurance downstream. Regulated clients are now asking SME suppliers what they ask of their own suppliers. Most SMEs do not have a written answer.

Incident response policy. Insurers will not pay claims cleanly if there is no documented incident response plan. Our cyber incident response plan template covers the structure most SMEs need.

Where to start if you have none

Writing all twelve policies in one sitting is the fastest way to write all twelve policies badly. A sensible sequence for a UK SME starting from zero:

  1. Acceptable use policy first. Touches every employee, easiest to draft, sets the tone for the rest.
  2. Joiner-mover-leaver process second. Closes the highest-risk operational gap (departing staff with active access).
  3. Incident response plan third. Required by insurers, asked by regulated clients, valuable in practice.
  4. AI use policy fourth. The fastest-growing procurement question in 2026.
  5. Everything else in the order auditors or insurers raise it. Most SMEs do not need to write the remaining seven in advance of being asked.

Two to four working sessions of two hours, with the business owner and the IT supplier in the room, will produce drafts of all four. Drafts beat templates because the policy reflects how the business operates.

How often to review them

Annually, with a quarterly check-in for anything that changed during the year. The review takes thirty minutes per policy if the policy is short and current. Most SMEs schedule reviews against the cyber insurance renewal date because that is when the policies get asked about anyway.

A second look at your policies before the next audit

If a client, insurer or auditor is about to ask which policies you have in place, the answer is easier to draft now than to manufacture in the week of the question.

If your next audit is Cyber Essentials or a cyber insurance renewal and you want a second pair of eyes on the Microsoft 365 setup that underpins these policies, connect with our team