Does a small business need a written password policy?

Yes, for two reasons: Cyber Essentials certification requires evidence that you have implemented the five technical controls, and a written policy is part of demonstrating this. More practically, a written policy sets clear expectations for staff, reduces inconsistency, and provides a baseline for incident response — if an employee is found to have violated it, you have documented evidence of what was required.

How long should a small business password policy be?

One to two pages is appropriate for most SMEs. A policy that requires a law degree to read will not be followed. Focus on what staff must do (use the company password manager, enable MFA on all company accounts, change credentials on a security concern) rather than technical implementation details. Separate technical implementation guidance for IT staff can be more detailed.

What should a password policy prohibit explicitly?

A good password policy explicitly prohibits: writing passwords in plaintext (Post-its, spreadsheets, emails, messages); sharing credentials between staff members except via the designated password manager; using the same password for work and personal accounts; using personally identifiable information in passwords; and continuing to use credentials after a security incident without changing them.

How often should passwords be changed according to current guidance?

The current NCSC and NIST guidance specifically discourages mandatory periodic password rotation unless there is a specific security reason. Regular forced rotation leads to predictable password patterns (Password1!, Password2!) and often results in weaker overall security. The correct policy is: change credentials immediately on any indication of compromise, when an employee leaves, or when a service reports a breach — not on a fixed schedule.

How do I enforce a password policy without technical controls?

Policy without enforcement is ineffective. Minimum technical controls to enforce a password policy include: a business password manager (makes it easy to use strong generated passwords), MFA on all cloud services (reduces impact of a compromised password), and a leaver process that revokes access and credentials. Regular security awareness training ensures staff understand why the policy exists. Auditing — checking whether staff are actually using the password manager — should be part of your annual security review.

Writing a Password Policy for a Small Business

A password policy is a documented statement of your organisation's requirements for credential management. For most SMEs it is a one-to-two-page document that belongs in the staff handbook, the security policy, or both. Writing one is neither difficult nor time-consuming — but skipping it creates gaps in Cyber Essentials compliance, complicates insurance claims after incidents, and leaves staff without clear expectations.

What to Include

A complete SME password policy covers six areas:

Scope: Which accounts and systems this policy applies to (all company accounts, cloud services, shared systems)
Password requirements: Generated by the company password manager; minimum length; no personal information; unique per system
Password manager: Which tool is designated, that all staff must use it for work credentials, how to get access
MFA requirements: Which accounts require MFA and the accepted methods
Change requirements: When passwords must be changed (on security concern, on a service breach notification, not on a fixed schedule)
Prohibited actions: Sharing credentials, writing in plaintext, reusing personal passwords, emailing credentials

What to Avoid

Mandatory rotation schedules: "Change your password every 90 days" — NCSC and NIST explicitly advise against this; it produces weaker security
Complexity rules that conflict with password managers: If staff use a password manager, complexity rules are enforced by the manager — restating them creates confusion
Unrealistic requirements: Policies that cannot be followed will not be followed; work with what your tools actually support

Use the Policy Builder: The Work Password Policy Builder generates a ready-to-copy policy paragraph based on your chosen settings — including Cyber Essentials compliance status for each configuration.

password policy SME documentation Cyber Essentials HR

For informational purposes only. Consult a qualified IT security professional for advice specific to your organisation.

← Password Security for Remote Workers Setting Up a Password Manager for Your Team →