Many small-to-medium MSPs have difficulties writing their information security policy, especially if they don’t have the support of a legal team. Many IT technicians are concerned about legal complexities that they believe are associated with it.
An infosec policy doesn’t have to be too complex, though. It doesn’t need to be too long, formal, or legally airtight to provide value to an organization. When drafted well, it makes client onboarding much easier, sets clearer expectations for your employees, encourages internal accountability, and demonstrates operational maturity during audits and reviews.
Guide to creating an MSP infosec policy
📌 Prerequisites:
- You must have administrator access to core-client systems, such as AD, their backup tool, and documentation platforms.
- You need the ability to export data from AV, backup, or patch tools.
- You must have an existing security routine, even if it’s still informal.
- You need a documentation platform like NinjaOne Documentation tool.
Define your policy structure
Start with this 5-section template and build off it to suit your organization’s specific needs.
| Section | Description |
| Purpose | Define the purpose of the policy, which may vary depending on the organization. For example, it could be to outline rules to protect customer data or reduce security breaches. |
| Scope | To whom and what will this policy apply? List out which systems, staff members, and environment it will cover. |
| Roles and Responsibilities | When this policy takes effect, who will be in charge of what? Clearly define the leads’ responsibilities and the roles team members are expected to play. |
| Security Practices | Define the different security practices associated with this policy. Remember to use plain language that the average user will understand (e.g., “All laptops must use full-disk encryption”). |
| Review and Enforcement | Indicate how and how often policy compliance should be checked. If policy amendments or modifications are needed, outline the process and timeline for that as well. |
Modify the template according to your needs. Add the necessary sections to fully define your MSP infosec policy.
You can also use SANS Policy Templates or other trusted templates to help you craft your policy.
Write using plain language
It’s important for your information security policy to be understood by your employees. All employees must clearly understand the information security policy. Otherwise, it might not be effective and can cause gaps because people do not understand what they are supposed to do.
Use clear and concise language and avoid unnecessary jargon and generic legal language. Use simple and specific language like the following examples:
- “All company accounts must use MFA.”
- “Patching for Microsoft devices must occur weekly.”
- “Employees must report phishing emails within 24 hours.”
These statements are short and provide clear and actionable statements. Employees will easily understand what’s expected of them and what they should do.
You can also tie your policy directives to the tools they’re used with. For example:
- “All backups must be verified weekly using the RMM script or the backup dashboard.”
Automate policy review tracking
Use a Windows PowerShell snippet to log and review timestamps. For example, the script below creates an audit log entry each time a user confirms they have reviewed the information security policy. It records the username and timestamp in a CSV file, providing traceable evidence of policy acknowledgement. To do that, follow these steps:
- Open Windows PowerShell as an administrator.
- Type this and press Enter:
# Policy review log entry
if (-not (Test-Path "C:\PolicyLogs")) {
New-Item -Path "C:\PolicyLogs" -ItemType Directory -Force | Out-Null
}
$meta = [pscustomobject]@{
PolicyName = "InfoSec Policy"
ReviewedBy = $env:USERNAME
ReviewDate = (Get-Date).ToString("s")
}
$meta | Export-Csv -Path "C:\PolicyLogs\ReviewLog.csv" -Append -NoTypeInformation -Encoding UTF8
This will allow you to generate internal audit logs of the employees who reviewed and/or acknowledged the policy. Maintaining this CSV provides clear evidence of policy reviews. It can be used in audits, supports compliance with security standards, and demonstrates accountability by showing who acknowledged the policy and when.
Train and embed the policy in daily workflows
The policy shouldn’t just exist on paper. It must be integrated into everyone’s daily workflows. Here are a few ways you can do that:
- Include the policy in client onboarding checklists.
- Use it in backup validation, patch audits, and AV reviews.
- Train all new hires to follow the policy using a concise summary deck or equivalent training material.
- Use quarterly reviews to update the policy alongside systems and tools to keep it relevant to your workflows.
⚠️ Troubleshooting/Things to look out for
| Risks | Potential Consequences | Reversals |
| Technicians aren’t reading the policy. | You will have security gaps that can lead to breaches in the future. | Keep the policy under four pages. Break it up into different sections and add visual examples to make it more engaging and easier to read. |
| The policy has become outdated, and ownership is unclear. | You won’t be able to edit and modify the policy according to your needs. | Set a quarterly reminder where you will assign a version owner for the policy. If the current version owner is leaving the organization, make sure ownership is handed over to the appropriate person. |
| Clients don’t follow the security policy. | You will have security gaps that can lead to breaches in the future. | Talk about the policy in SLAs and onboarding docs. You can also offer periodic training to keep their knowledge up to date. |
| You don’t have enough data for reviews. | You won’t be able to perform reviews and fill the gaps in your current process. | Use timestamps, tickets, or PowerShell logs. |
NinjaOne Platform integration ideas for writing an infosec policy
NinjaOne has many different tools that can assist you when crafting and implementing your information security policy. Here are a few things you can do with our RMM tool:
- Documentation sync: Store your InfoSec policy for each client in NinjaOne Documentation tool.
- Policy Compliance Scripts: Leverage NinjaOne’s scripting engine to run automated checks on endpoints (verify disk encryption, validate antivirus status, or confirm patch levels).
- Enforce security requirements through NinjaOne policies: Ensure compliance by using policy-based automation and configuration enforcement.
Improve your MSP infosec policy even without legal support
An information security policy doesn’t have to be too complex or crafted by a full legal team to be valuable to your organization. With the right structure, clarity, and platform integration, even MSPs without legal support can document their security policies to reduce internal confusion and demonstrate their operational maturity to their clients and other stakeholders.
A well-defined policy also has several key benefits. It makes audits and conversations about cyberinsurance much easier and provides you with clear team security accountability. There’s also a lot less risk from ambiguous and undocumented practices.
Related topics:
