Published: 21 May 2026 | By AOLC
Most South African businesses have firewalls, antivirus software, and email filters in place. But when you ask whether they have a written cybersecurity policy, the answer is usually silence. Technical controls are the hardware of your defence. The policy is the software — it tells your people how to behave, what to protect, and what to do when something goes wrong.
Without a policy, your security tools are only as strong as the habits of your least security-aware employee. One person using "Password1" across all their accounts, forwarding work emails to a personal Gmail address, or plugging in a found USB drive can undo R500,000 worth of technical controls in minutes. A policy sets the standard — and gives you the legal basis to act when it is breached.
This guide walks you through exactly what a cybersecurity policy is, what sections it must contain, and how to roll it out effectively — whether you run a 10-person consultancy or a 300-person manufacturer.
POPIA requires organisations to implement "appropriate, reasonable technical and organisational measures" to secure personal information. A written cybersecurity policy is your most visible evidence of compliance — and its absence is one of the first things a regulatory investigation looks for.
What a Cybersecurity Policy Is (And Isn't.)
A cybersecurity policy is a formal document that defines how your organisation manages the security of its information and technology. It covers what your staff can and cannot do with company systems, how data must be handled and stored, who is responsible for security decisions, and what happens when a breach or incident occurs.
It is not a technical manual. You are not writing network architecture diagrams or firewall rule sets — those belong in separate technical documentation. A policy is aimed at your people: it sets expectations for behaviour, assigns accountability, and creates a formal record that your organisation takes its obligations seriously.
Think of a cybersecurity policy as three things in one:
- A rulebook — defines what is and is not allowed, removing ambiguity about acceptable behaviour
- A compliance record — demonstrates to the Information Regulator, insurers, and auditors that you have taken your POPIA obligations seriously
- A cultural signal — when leadership publishes and enforces a security policy, it communicates to staff that cybersecurity is a business priority, not just an IT concern
82%
of data breaches involve a human element — not sophisticated hacking. Source: Verizon DBIR. A policy that governs human behaviour is your most impactful security investment.
The 7 Core Sections Your Policy Must Include.
A policy that tries to cover everything at once becomes a document nobody reads. Focus on the essentials first. Every South African business needs these seven sections:
- Password management — minimum password length (12+ characters), prohibition on password reuse, and mandatory multi-factor authentication (MFA) for email, remote access, and any system holding personal data. See our guide to cloud and identity security for implementation guidance.
- Acceptable use — what company devices and internet access may be used for. Ban personal software installs without IT approval, block access to high-risk sites, and define whether personal use of company devices is permitted at all.
- Email and phishing — prohibit sending sensitive or personal data over unencrypted email, define rules around external attachments, and specify what staff must do when they suspect a phishing attempt. Refer staff to your cyber awareness training programme.
- Remote access and BYOD — require VPN for all remote access to company systems. If personal devices are permitted (bring your own device), define the minimum security standards they must meet — screen lock, up-to-date OS, and approved security software — before connecting to company data.
- Data classification — define at least three tiers: Public, Internal, and Confidential (add Restricted if you handle highly sensitive regulated data). Specify who may access each tier, how it must be stored, and how it must be transmitted.
- Incident response — who to contact when a breach or security incident is detected, what staff must not do (do not try to fix it yourself, do not delete files, do not power off servers without instruction), and the reporting timeframes required under POPIA. Your managed security provider should be on this escalation list.
- Third-party and vendor access — any contractor, supplier, or cloud service provider with access to your systems or data must agree to security standards equivalent to your own. Document these requirements and include them in vendor contracts.
Tip
Keep your first policy to 5–8 pages. A 40-page document nobody reads is worse than a clear one-pager everyone follows. Start lean, then add depth in subsequent annual reviews as your environment and risk profile evolve.
What POPIA Specifically Requires.
POPIA's Condition 7 ("Security Safeguards") places explicit obligations on every South African organisation that processes personal information — which includes customer details, employee records, supplier contacts, and financial data. Your policy must address the following:
- Appointment of an Information Officer — every organisation must designate a named individual responsible for POPIA compliance. This person's details must be registered with the Information Regulator.
- Data breach notification — under POPIA, you must notify the Information Regulator and affected data subjects "as soon as reasonably possible" after discovering a breach. In practice, most organisations target 72 hours. Your policy must define the notification process and who is responsible for triggering it.
- Data retention limits — personal information may not be held longer than necessary for the purpose it was collected. Your policy must specify retention periods for common data categories (employee records, customer contracts, invoices) and how data is securely destroyed when those limits are reached.
- Third-party data processors — if any external party processes personal information on your behalf (payroll bureau, cloud storage provider, CRM platform), your policy must include security requirements for those relationships and how they are contractually managed. Read more about securing cloud data under POPIA.
- Data subject rights — staff must know what to do when an individual asks to access, correct, or delete their personal information. Your policy should define response timeframes (POPIA allows up to 30 days) and who handles these requests.
R10M
maximum fine under POPIA for non-compliance — or up to 10 years imprisonment for the responsible party. The Information Regulator began enforcement actions in 2024 and is actively investigating complaints.
How to Roll Out Your Policy Effectively.
Writing the policy is the straightforward part. Getting your team to actually follow it is where most businesses stumble. The most common failure is emailing a PDF and assuming the job is done. Here is what actually works:
- Get management sign-off first — a policy endorsed by the CEO or MD carries more authority than one issued by IT alone. Staff are more likely to take it seriously when leadership is visibly behind it.
- Run a briefing session before publishing — do not just distribute a document. Run a 30-minute session (in person or via Teams) to explain why each rule exists, answer questions, and address genuine concerns. Staff who understand the reasons behind a rule follow it more consistently than those who see it as arbitrary IT policy.
- Collect written acknowledgements — every employee should sign (physically or electronically) a form confirming they have read, understood, and agree to comply with the policy. Store these records. If a breach later results in disciplinary action or legal proceedings, these acknowledgements are critical evidence.
- Make the policy easy to find — publish it in your internal shared drive, Microsoft Teams wiki, or staff intranet. A policy buried in an email archive does not count as accessible.
- Build it into your HR framework — policy violations should carry the same disciplinary consequences as any other code of conduct breach. Without accountability, even the best-written policy has no teeth.
- Include contractors and temporary staff — anyone with access to your systems is a risk, regardless of their employment status. Make policy acknowledgement part of your onboarding process for all staff, not just permanent employees.
Keeping Your Policy Current.
A cybersecurity policy written in 2023 and never reviewed is almost as dangerous as no policy at all. Your tools change, your staff change, and the threat landscape changes. Plan to revisit your policy in these three situations:
- After any security incident — every breach or near-miss is a learning opportunity. What gap did the policy not cover? What instruction was unclear? Update accordingly within 30 days of the incident.
- When you adopt new platforms or tools — migrating to Microsoft 365, deploying a cloud backup solution, implementing BYOD, or onboarding a new SaaS tool all introduce new risks that your existing policy may not address. Trigger a targeted review each time your technology environment changes significantly.
- Annually at minimum — schedule a policy review at the start of each financial year. Assign a named owner — your IT manager, your managed IT provider, or your Information Officer — to drive it. A thorough annual review takes 2–3 hours. A data breach costs weeks of recovery time, significant legal exposure, and lasting damage to customer trust.
A quick checklist before you start writing: appoint your Information Officer, define your data classification tiers, list every system and platform that holds personal data, and identify which vendors process data on your behalf. These four inputs power the rest of the policy.
Get a Free Security Assessment.
Not sure where your current security posture stands? Our team will assess your risk exposure, identify policy gaps, and show you exactly where to focus first — no obligation.
Book a Security Assessment
← Back to Blog