Develop and distribute a code of conduct for using ICT

You should establish a rule of conduct for employees working in the organization (for example clause in employment contract) or leaving the organization to protect that important information is floating out of your organization.

Your code of conduct can be the foundation of your security program and is centred around confidentiality, integrity and the availability of information within your organization.

Setting the objectives, and then defining and monitoring the indicators of the outcomes, is crucial for directing action and for staff buy-in. These tools should allow you to speak the same language and refer to understandable and well-defined elements.

The Code of conduct should at minimum address the following:

  • Acceptabe Use of Equipment, Applications
  • Provisions for personal use of corporate devices
  • Security and Privacy considerations for employees
  • Email and communications hygiene
  • Social Media Conduct in regards to the company
  • Clean Desk Policies
  • Use of external media, removal and portable devices
  • Use of Mobile Devices for corporate goals


Have a policy for, and signed by, employees regarding data handling


Have a policy on the private use of company assets