Social Media and External Communications Policy - SME

The Social Media and External Communications Policy (P36S) sets forth a comprehensive, practical framework to protect small and medium enterprises (SMEs) when conducting public-facing communications. It covers all external references to the company, including social media activity, blog posts, event participation, media contact, and public sharing of visuals from work environments, to address the unique compliance, legal, and reputational risks now associated with digital communications. This policy is specially tailored as an SME policy, evident from its use of the General Manager role as the primary policy owner and compliance lead rather than dedicated IT executives or security officers. This approach ensures that even organizations without a CISO or Security Operations Center can implement robust controls aligned with ISO/IEC 27001:2022 requirements. Every affiliated individual, including employees, contractors, freelancers, vendors, and temporary staff, is in scope, and the rules also govern use of personal accounts or devices, whether inside or outside working hours. This is crucial for SMEs with limited oversight and diverse, flexible work arrangements. The policy's core objectives are clearly defined: preventing reputational harm from unapproved or misleading statements, securing sensitive company and client data, maintaining ongoing legal compliance (such as with GDPR), and promoting professional and responsible online engagement. Governance requirements are highly actionable; for example, they set out clear rules for acceptable and prohibited content, mandatory approvals for public engagements, use of disclaimers when commenting on industry topics, and strong access controls, like MFA, for official accounts. Notably, third-party marketing or PR vendors must strictly comply under explicit contracts and may not post content without the GM's approval. Implementation is made practical for SMEs: annual and onboarding training is required for all staff, any proposed public-facing content must be sent to the GM for approval with documentation, and there are guidelines for archiving posts and logging approvals, even using spreadsheets. The policy prescribes active risk management, including regular reviews by the GM for exposures related to social communication, requirements for handling and reporting accidental disclosures (with references to the dedicated Incident Response Policy), and a structured process for exceptions and amendments. Enforcement is robust yet balanced, violations trigger clear disciplinary measures and are addressed proportionally to severity and intent. All stakeholders, including vendors, are covered, promoting a holistic and consistent external presence. The policy is supported by direct links to related SME controls on acceptable use, security awareness, privacy, incident response, and legal requirements, ensuring a strong integrated compliance posture.