When we talk about cyber security, most people’s minds jump straight to the technical stuff: firewalls, backups, multi-factor authentication.
But here’s the thing, even the strongest technical controls are only as good as the policies behind them.
In our recent webinar, with Matt Carney, Senior Information Governance Consultant at Evolve North, we took a closer look at policy hygiene – why it matters, what “good” looks like, and how organisations can keep policies alive and relevant rather than letting them gather dust in a SharePoint folder.
Why policies are your company’s rulebook
Think of policies as your organisation’s law. They set the rules, expectations, and behaviours that everyone should follow. They’re the “how we do things here” manual, and they remove excuses like “I didn’t know I wasn’t supposed to.”
Good policies don’t just exist for auditors or regulators. Done properly, they:
- Reduce the likelihood of human error by giving people clear, repeatable steps
- Align teams so everyone’s working to the same expectations
- Improve readiness and speed up incident response
- Support smoother audits, tenders, and client relationships
What makes a good policy?
A well-written policy is:
- Clear: plain language, no legal jargon
- Practical: designed to guide everyday behaviour
- Accessible: easy to find and easy to understand
- Living: regularly updated to reflect new threats, technologies, and ways of working
We’ve seen plenty of organisations fall into the trap of writing policies that look like they belong in a courtroom. The problem? Nobody reads them. Or worse, people read them but don’t understand them. A good policy should feel more like guidance than terms and conditions.
Keep them current (and realistic)
One of the biggest risks we see is policy sets frozen in time, last reviewed during the GDPR rush in 2018, never touched since. The world has moved on: remote working, ransomware, AI, supply chain risks. If your policies don’t reflect the way you actually work today, they’re not protecting you.
Version control, revision dates, and clear notes on changes are all part of good hygiene. So is staggering reviews rather than leaving everything to pile up once a year. And remember: if circumstances change (like your business no longer having an office), update your policies right away.
Culture, not just compliance
Perhaps the most important point: policies are there to shape culture, not just tick boxes. They should give staff the confidence to make good decisions and understand why something matters, not just tell them “because the rules say so.”
When policies are written in plain English, regularly refreshed, and actually used in onboarding and training, they become part of the fabric of your organisation. That’s when they really start reducing risk.
Where to start
If your policies haven’t been reviewed since the GDPR days (or if you don’t know where to start at all), don’t panic. Policy hygiene doesn’t have to be overwhelming:
- Start small. Even updating one or two key policies is progress
- Consolidate where you can. Fewer, clearer policies are usually better
- Use plain language and provide context. Explain the “why,” not just the “what”
- Build reviews into your rhythm so they become routine
At Evolve North, we help organisations refine, consolidate, and modernise their policies, and yes, we’ll even wrestle with the dreaded Microsoft Word formatting for you.
Policies aren’t dusty rulebooks; they’re the backbone of your cyber hygiene and governance culture. When they’re clear, current, and communicated well, they reduce risk, improve resilience, and make life easier for everyone.
If your policies could do with a fresh look, or you’re ready to make them a meaningful part of your culture, we’d be happy to help contact us on 01748 905 002 or info@evolvenorth.com to get started.
