Mini Bundle: Access & Network Security - SME

The Mini Bundle: Access & Network Security - SME provides a robust, pre-aligned set of six cybersecurity governance documents built specifically for small and mid-sized enterprises (SMEs). Recognizing the unique challenges faced by organizations without dedicated IT or security departments, each policy in the bundle is streamlined to use roles commonly present in SMEs, such as General Manager, Department Managers, and External IT Providers. All documents are meticulously mapped to the latest ISO/IEC 27001:2022 and ISO/IEC 27002:2022 requirements, as well as related frameworks like NIST SP 800-53 Rev.5, EU GDPR, EU NIS2, EU DORA, and COBIT 2019. This bundle includes the Access Control Policy, which dictates how access to IT systems, facilities, and data is managed through clear approval processes, formal reviews, and enforcement of least privilege. User Account and Privilege Management Policy expands on this by ensuring robust controls over account provisioning, modification, and deactivation, prohibiting shared credentials, and mandating unique, traceable identities, supported by rigorous audit trails and compliance logging. Both are written for organizations where the General Manager or an external IT function acts as the system owner or approval authority, reducing complexity and ensuring that control can be maintained even with limited internal resources. The Vulnerability and Patch Management Policy defines the expectations for identifying, assessing, and remediating vulnerabilities across all IT assets, including workstations, servers, cloud infrastructure, and software. Timely patching, quarterly reporting, and clear exception processes are mandated, with responsibilities shared between the General Manager and IT providers. To protect endpoint infrastructure, the Endpoint Protection - Malware Policy provides requirements for antivirus deployment, BYOD security, monitoring, and response, with technical and procedural instructions tailored to the SME context, including the use of approved tools and regular malware training. Critical network controls are addressed in the Network Security Policy, which details the design, segmentation, monitoring, and enforcement of secure wired, wireless, and remote access channels. The policy covers both physical and logical networks, requiring robust firewall configurations, VPN usage with MFA, regular audits, and reporting of unauthorized or anomalous network behavior. The Logging and Monitoring Policy ensures that all critical activities, from administrative changes to security alerts, are logged, retained, and regularly reviewed, enabling SMEs to meet both operational and legal obligations for accountability, breach investigation, and compliance audits. As SME-specific policies (evidenced by the 'S' in their numbering and role references), every document emphasizes practical, realistic implementation, using registers, simple approval flows, and checklists instead of large-team structures or specialized positions. Together, this bundle provides a comprehensive, actionable, and auditable foundation for cybersecurity best practice in small and mid-sized enterprises.