Business Security Planning

IT, as well as online security, is vital for organisations of any size. The alternatives include business interruption, poor legal compliance, impact on revenue, compromised reputation or, at worst, business failure. Therefore, you need to take a systematic approach to security and the first place to start is to compile and implement an effective business security plan. 

Writing and implementing a security plan does not have to be a daunting task. A good plan today is better than a perfect plan tomorrow, and it can always be updated and refined later.

The planning cycle

There are five steps to creating a good security plan:

  • Audit

Review your own skills and knowledge. Determine if you need outside help. Identify assets and information that need to be protected, including hardware, software, documentation and data. Review the threats and risks. Make a prioritised list of items to protect.

  • Plan

Write procedures for preventing, detecting and responding to security threats. Provide a framework for enforcing compliance, including staff policies. Identify who will be responsible for implementing and monitoring the plan. Agree a timetable for implementation.

  • Execute

Communicate with staff. Train where necessary. Carry out the plan.

  • Monitor

Research new threats as you become aware of them. Subscribe to security bulletins. Update and modify the plan as changes occur in personal, hardware or software. Carry out ongoing maintenance such as backups or virus updates.

  • Repeat

Plan for a complete review and update six to twelve months after you complete the first plan or when your business goes through significant changes.

What to include

An effective security plan will include the following considerations. For smaller businesses, some may not be relevant or appropriate:

  • Management buy-in and commitment
  • External parties (customers, suppliers, partners, stakeholders)
  • Establish information security policy
  • Information risk management
  • Responsibility for information assets
  • Information classification (internal, public domain, confidential)
  • New employee vetting
  • Non-disclosure agreements
  • Awareness and training
  • Secure areas and access control
  • IT equipment security
  • Operational procedures and responsibilities
  • New IT systems and upgrades
  • Malware protection
  • Back ups
  • Employees’ own devices
  • Exchange of information (including third parties)
  • Electronic and mobile commerce
  • User monitoring
  • Access management
  • User responsibilities (including employment contracts)
  • Mobile and remote working
  • Network security management
  • Network encryption
  • Correct processing in applications to ensure data integrity
  • Security within development and support
  • Vulnerability management
  • Reporting issues and weaknesses
  • Incident management and escalation
  • IT security aspects of business continuity management
  • Compliance with legal requirements (including the Data Protection Act)
  • Compliance with payment card industry standards
  • Compliance with specific industry requirements (such as financial services, medical)

Jargon Buster

A Glossary of terms used in this article:


Any product flaw, administrative process or act, or physical exposure that makes a computer susceptible to attack by a malicious user.