Australians most often ask whether a small business really needs a written policy, whether a privacy policy already covers it, and what the document must contain without becoming unusable bureaucracy. A high-demand question missing from the fixed 10 is whether a customer, insurer or tender will accept a short internal policy or expects alignment to a named framework such as the Essential Eight, SMB1001 or ISO/IEC 27001.
What is a security policy, and does my business actually need one?
A security policy is the business's approved rulebook for protecting its systems, information, devices and people. It identifies what must be protected, the main threats, the rules staff and suppliers must follow, who can make decisions and what happens when something goes wrong. No single Australian law requires every private business to keep a document with this exact title, but government guidance recommends one particularly where staff use business systems or information. A short policy is worthwhile when it turns security expectations into clear, repeatable decisions rather than leaving each person to improvise.
- sole trader with no staff — A concise owner-controlled policy can still record account, device, backup, supplier and incident rules, even if employee sections are not relevant.
- business with employees or contractors — The policy becomes more important because it establishes common rules for information sharing, acceptable use, reporting and access.
- customer, insurer or tender requirement — The requesting party may require a named framework, a particular policy set, approval evidence or a maturity target beyond a basic internal policy.
- Privacy Act-covered entity — The security policy should support APP 11's technical and organisational security measures and the Notifiable Data Breaches process.
Before drafting anything, tell us what assets, information, people and suppliers are in scope; which laws, contracts, insurance conditions and frameworks apply; who will own and approve the policy; and what operational evidence will prove each rule is working.
Is a security policy the same as a privacy policy?
No. A privacy policy is an outward-facing statement explaining how a covered organisation collects, uses, stores, discloses and otherwise handles personal information. A security policy is usually an internal governance document covering how the business protects a broader set of assets, including personal information, confidential business data, systems, devices, accounts, premises and services. A Privacy Act-covered entity generally needs an up-to-date privacy policy and must also take reasonable technical and organisational security measures under APP 11. Publishing a privacy policy does not, by itself, prove that effective security controls exist.
- annual turnover over A$3m — The organisation is generally covered by the Privacy Act and must have a privacy policy, subject to the Act's detailed coverage rules.
- A$3m or less but within a Privacy Act exception — Some smaller entities are still covered, including certain health service providers, credit-related businesses and businesses trading in personal information.
- business outside federal Privacy Act coverage — A privacy policy may still be required by state or territory law, contract, platform terms or customer expectations, while a security policy remains useful for broader risk control.
- security assurance request — A customer or auditor will normally expect operating controls and evidence, not merely a public privacy notice.
Show us separately: the public privacy policy explaining how personal information is handled; the internal security policy defining protection rules and responsibilities; and the controls and evidence that demonstrate APP 11 or other security duties are actually being met.
What's the difference between a policy, a standard and a procedure?
A policy states the rule, purpose, scope, ownership and required outcome: what the business expects and why. A standard turns that direction into mandatory, testable requirements, such as approved MFA methods, patch windows or minimum backup settings. A procedure gives the step-by-step instructions for carrying out a task, while a plan coordinates people and actions for a particular event such as a cyber incident or outage. Keep these layers linked: the policy should not be overloaded with technical steps that change every month, and a procedure should not quietly create new business rules that nobody approved.
- microbusiness — One controlled document can contain clearly labelled policy, minimum standards and short procedures, provided the layers and approval authority remain distinguishable.
- growing or multi-team business — Separate documents are easier to own, update and train against as systems and responsibilities become more complex.
- audited or contract-bound organisation — Auditors commonly need traceability from obligation to policy, standard, procedure, configuration and evidence.
For every document, label it as policy, standard, procedure or plan; identify its owner and approver; state which higher-level requirement it supports; and show the evidence that its requirements are operating.
What should a basic security policy contain?
A basic policy should define its purpose, scope, protected assets, key threats, roles, approval authority and the rules that apply to staff, contractors and suppliers. At minimum it should address accounts and access, passphrases and MFA, email and messaging, devices and software, data handling and retention, acceptable use, remote work, suppliers, backups, incident reporting, exceptions, training, compliance and review. Put detailed settings and step-by-step tasks in linked standards and procedures so the core policy stays readable. The document should reflect the business's real systems and work practices, including new technologies, rather than being a generic template nobody can apply.
- sole trader or very small team — A concise policy can combine related topics, but it still needs named ownership, practical rules, an incident contact and a review date.
- business with contractors, BYOD or remote work — Include ownership, approved devices, remote access, data separation, offboarding and monitoring expectations.
- cloud-heavy business — Cover identity, SaaS approval, data location, provider access, logs, backups, exports and exit arrangements.
- sensitive or regulated information — Add classification, restricted access, retention, destruction, incident escalation and legal notification requirements.
Give us a one-page contents map showing each proposed section, the risk it addresses, the person who owns it, the linked standard or procedure, and how staff will find the rule when they need it.
What does Australian law actually require?
Australian law generally regulates outcomes and conduct rather than requiring every business to own a document called a security policy. For Privacy Act-covered entities, APP 11 requires reasonable technical and organisational measures to protect personal information and to destroy or de-identify it when no longer needed, subject to retention exceptions. Covered entities must also maintain a privacy policy under APP 1 and follow the Notifiable Data Breaches scheme when an eligible breach is likely to cause serious harm. Other duties can arise from sector laws, employment and surveillance rules, state or territory privacy regimes, contracts, insurance and professional obligations, so a policy must not claim authority that the law does not give it.
- annual turnover over A$3m — The organisation is generally within the federal Privacy Act, with detailed coverage and exemption rules still requiring confirmation.
- small business within a Privacy Act exception — Turnover below A$3m does not remove coverage for all businesses; some health, credit and personal-information trading activities are included.
- state or territory public sector, health or surveillance context — Separate state and territory laws may apply in addition to or instead of the federal private-sector rules.
- contract, insurer or professional requirement — The document may become contractually enforceable even where its exact title is not prescribed by statute.
Identify every law, regulator, contract and insurance condition that applies to our business, cite the exact requirement each policy clause supports, and flag any clause that is only a business choice rather than a legal obligation.
Who owns it, approves it and makes sure it is followed?
The business owns the policy and the risk; an external IT provider, lawyer or template supplier can help but should not become the unaccountable policy owner. A senior owner or executive should approve the policy, a named operational owner should maintain it, and each rule should have someone responsible for implementation and evidence. Small businesses may combine roles, but they still need a backup decision-maker and clear authority for access changes, emergency containment and exceptions. The owner must balance security with legal, operational and customer needs rather than allowing a provider to ban or change tools without an agreed decision process.
- sole trader — The proprietor may own and approve the policy but should still identify technical, legal and incident contacts.
- company with management team — A senior executive should be accountable, with named owners for technology, privacy, people, suppliers and incident response.
- outsourced IT or MSP — The provider performs agreed tasks and supplies evidence; the business retains legal, customer, financial and risk decisions.
- government or ISM-aligned organisation — ASD assigns organisational documentation approval to the CISO and system-specific documentation to the authorising officer.
Name the accountable executive, document owner, control owners, approver and backup for this policy, and show which decisions remain with our business rather than being delegated to the IT provider.
How does a security policy actually get used by the team?
A usable policy gives staff a small number of clear decisions: what they may use, what they must protect, what they must never do, and where to report uncertainty or an incident. It should be introduced during onboarding, reinforced with role-specific examples, available in the normal place of work and supported by short procedures and reporting channels. Staff acknowledgement can prove distribution, but it does not prove understanding or compliance. Managers should model the rules, remove barriers that encourage workarounds and use exercises, spot checks and incident lessons to keep the policy real.
- all workers — Teach the few rules and reporting actions relevant to everyone, using examples from the actual workplace.
- privileged, finance, HR or customer-data roles — Provide additional role-specific standards, procedures, simulations and access reviews.
- contractors and suppliers — Include policy obligations in onboarding and contracts, and provide a practical incident and exception contact.
- remote or distributed team — Make the policy, procedures and emergency contacts available even if the main systems or office are unavailable.
Show us how each worker will receive the policy, what role-specific training they will complete, how understanding will be tested, where exceptions and incidents are reported, and what evidence will show the process works beyond a signed acknowledgement.
What evidence proves the policy is real, and how often should it be reviewed?
A real policy has more than a file name: it has an owner, approval record, version, scope, current date, communication record and links to operating standards and procedures. Evidence may include system configurations, access reviews, patch and backup reports, restoration tests, training results, supplier clauses, incident records, exception approvals and corrective actions. Business.gov.au says to update the policy for new threats and system changes, while the ISM uses at least annual review as a government and large-organisation baseline. Review it sooner after an incident, audit finding, major technology or supplier change, business restructure, legal change or evidence that staff cannot apply it.
- small private business — Annual review is a sensible baseline rather than a universal statutory interval; also update whenever the business or its risks materially change.
- ISM-aligned organisation — Cyber security documentation is reviewed at least annually and includes a current-as-at date.
- contract or insurance requirement — The customer or insurer may prescribe shorter review, testing, attestation or evidence-retention periods.
- after an incident or failed control — Run an off-cycle review, record lessons and track corrective actions to closure.
Provide the signed approval, version history, current-as-at date, distribution record and evidence register for this policy, then state the annual review date and every event that triggers an earlier review.
What does it cost and how long does it take?
There is no official fixed price or timeframe for producing and implementing a security policy. A small, well-understood business can draft a useful first version quickly, but discovery, legal mapping, consultation, technical remediation, training and evidence usually take longer than writing the document. Separate the cost of the policy itself from the cost of implementing the controls it promises; a cheap template can create false assurance if the business cannot follow it. Australian businesses with 19 or fewer full-time-equivalent employees can access the free Small Business Cyber Resilience Service, and any business can start with the free anonymous Cyber Health Check Tool.
- sole trader or simple cloud-first business — A concise initial policy may require limited documentation effort, but account security, backups, devices and supplier risks still need implementation and testing.
- growing business with staff and several systems — Allow for interviews, asset discovery, role mapping, staff consultation, technical changes and onboarding materials.
- regulated, tendered or audited environment — Legal review, detailed standards, evidence collection, gap remediation and independent assessment can dominate both cost and duration.
- small business with 19 or fewer FTE employees — The Australian Government's Small Business Cyber Resilience Service is free and can provide a tailored improvement plan.
Break the proposal into discovery, legal and contractual mapping, policy drafting, linked standards and procedures, technical remediation, training, evidence collection and ongoing review; state the internal time, assumptions, exclusions and measurable deliverables for each part.
What's my next step?
Common misconceptions
- A security policy and a privacy policy are two names for the same document. VERIFIED
- A policy should contain every technical setting and step-by-step instruction, so separate standards and procedures are unnecessary. INFERRED
- A business with annual turnover below A$3 million never has Privacy Act obligations or a reason to maintain security rules. INFERRED
- Publishing a privacy policy proves that the business has taken the reasonable technical and organisational measures required by APP 11. INFERRED
- Buying a generic template makes the business secure and compliant without implementing or testing its controls. INFERRED
- The MSP or cloud provider owns all security and privacy risk once technology has been outsourced. VERIFIED
- A signed staff acknowledgement proves that employees understood and follow the policy. INFERRED
- Every Australian business is legally required to review its security policy exactly once a year. INFERRED
- A policy can override privacy, employment, surveillance or other legal rights merely because staff agreed to it. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| APP 1 privacy policy requirement | Office of the Australian Information Commissioner | An organisation or agency is covered by the Privacy Act 1988; coverage generally includes organisations with annual turnover over A$3 million and specified other organisations. | Maintain a clearly expressed and up-to-date privacy policy and update it when information-handling practices materially change. | Entities with a non-compliant privacy policy may face compliance or infringement notices and penalties of up to A$66,000, according to the OAIC's 9 December 2025 compliance sweep. |
| APP 11 security of personal information | Office of the Australian Information Commissioner | A Privacy Act-covered APP entity holds personal information, including information stored by a third party where the entity retains possession or control. | Ongoing reasonable technical and organisational protection; take reasonable steps to destroy or de-identify personal information once no longer needed, unless a stated legal or record exception applies. | |
| Notifiable Data Breaches scheme | Office of the Australian Information Commissioner | A Privacy Act-covered entity suspects an eligible data breach, or has reasonable grounds to believe that unauthorised access, disclosure or loss is likely to cause serious harm and remedial action has not removed that likelihood. | Take all reasonable steps to complete a suspected-breach assessment within 30 calendar days; once an eligible breach is reasonably believed to have occurred, notify affected individuals and the OAIC as soon as practicable. |
Sources
- Create a cyber security policy primary
- Cyber security checklist primary
- Small Business Cyber Resilience Service primary
- Small business hub primary
- Small business cyber security guide — January 2025 primary
- Guidelines for cyber security documentation primary
- ISM Cyber Security Terminology — March 2024 primary
- Annual Cyber Threat Report 2024–2025 primary
- What is a privacy policy? primary
- The Privacy Act primary
- Chapter 11: APP 11 Security of personal information primary
- Privacy compliance sweep to put privacy policies under the spotlight primary
- Part 4: Notifiable Data Breach scheme primary
- Part 3: Responding to data breaches — four key steps primary
- Can MSPs offer any value for Small Businesses? forum
- Cowboys? forum
- Quitting my job — how much am I required to hand over? forum
- Smart Glasses in the office? forum
- Sick Leave and Privacy forum
- What is the most inefficient, counterproductive, waste of resources bullshit your idiot boss has implemented? forum
- Complaince Training - Who are some of these aimed at lol. forum
- Glad that we discuss more real-world security in this sub forum
- Pricing Enquiry forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.