PropoDoc provides self-help document templates and tools. It is not a law firm and does not provide legal advice. Learn more.
Skip to main content

Security Protocol

The defined steps and rules for handling security in a specific area.

Use Free Template
Create your custom version — free to start

20 free credits on signup — no card needed

procedure
moderate
medium Risk

About this Document

What a security protocol is

A security protocol is the document that sets out the rules and procedures everyone in an organisation follows to keep people, information, and premises safe. It is the human-facing companion to the technical controls: where an engineer hardens a server, the protocol tells a receptionist how to handle a stranger at the door, tells a new hire how to choose a password, and tells a finance clerk what to do when a suspicious invoice arrives.

A protocol is operational, not theoretical. It describes behaviour — what people must do, what they must never do, and who to call when something looks wrong. A good one is short enough that people actually read it, specific enough that a new starter knows exactly how to act, and written in plain language rather than the dense wording of a formal standard.

Keep in mind the difference between three documents that are easy to confuse. A security policy is the high-level statement of intent ("we protect customer data"). A technical security plan shows how one system is engineered to deliver on that intent — the encryption settings, the access model, the monitoring. A security protocol, the subject of this guide, is the set of everyday procedures the whole workforce follows. The three reinforce each other; this document focuses on the people and procedures layer.

Scope: physical, information, and personnel security

A complete protocol covers three overlapping domains, and the most damaging gaps usually sit where they meet.

  • Physical security — control of the building and its contents: who may enter, how visitors are signed in and escorted, how doors and server rooms are locked, where badges and keys live, and what a clean-desk and clear-screen rule looks like in practice. A leaked password matters less if anyone can walk in and read a screen.
  • Information security — how data and systems are protected through behaviour rather than configuration: acceptable use of company devices, email and phishing awareness, safe handling of files, and the rules for storing, sharing, and disposing of sensitive information.
  • Personnel security — the human lifecycle: vetting appropriate to the role, a security briefing on day one, defined responsibilities while employed, and — most often neglected — a reliable off-boarding step that revokes every access the moment someone leaves.

Access and authentication rules

Most real incidents come down to who could get in and how easily. State the rules plainly so there is no room for interpretation.

  • Identity and accounts — every person gets their own named account; shared logins are banned because they destroy accountability. Service or system accounts are owned by a named person.
  • Authentication — set a clear standard: a passphrase rather than a short password, multi-factor authentication (MFA) on anything that matters, and a password manager instead of sticky notes or reused passwords.
  • Least privilege — people get only the access their role needs and nothing more. Elevated or administrator access is the exception, granted deliberately and reviewed regularly.
  • Physical access — badges, keys, and door codes are issued to individuals, logged, and recovered when no longer needed. Tailgating — letting someone follow you through a secure door — is treated as a real risk, not a courtesy.
  • Joiners and leavers — access is provisioned to a defined baseline on day one and fully revoked on the last day. A leaver who still has a working login is one of the most common and avoidable exposures.

Acceptable use and data handling

This section is what most employees will actually consult, so make it concrete.

  • Acceptable use — what company devices, accounts, and networks may and may not be used for; whether personal use is permitted; and the line that turns ordinary use into a breach (installing unvetted software, disabling security tools, connecting unknown USB devices).
  • Data classification — give people a small, memorable set of labels (for example Public, Internal, Confidential, Restricted) and one rule for each: who may see it, how it may be shared, and how it must be stored.
  • Sharing and transfer — how confidential information may leave the organisation: approved tools only, encryption where required, and a check on the recipient before anything sensitive is sent.
  • Retention and disposal — how long records are kept and how they are destroyed: shredding paper, wiping devices before reuse, and emptying shared drives of files that are no longer needed.

Incident reporting

The single most useful thing a protocol does is make reporting easy and blame-free, because the faster a problem surfaces the smaller it stays.

  • What counts as an incident — a lost laptop or phone, a clicked phishing link, a misdirected email containing personal data, an unfamiliar person inside a secure area, a suspected malware infection, or simply something that feels wrong.
  • How to report — one obvious channel that works at any hour (a phone number, an address, or a chat channel), with a named role behind it. If reporting is hard, people will hide mistakes.
  • No-blame principle — reporting promptly is rewarded, not punished. The person who reports their own phishing click within minutes has done exactly the right thing.
  • What happens next — who triages the report, how the person is kept informed, and the basic shape of the response: contain the problem, assess the impact, fix the cause, and record what was learned.

Training, enforcement, and review

A protocol that nobody is taught and nobody enforces is decoration.

  • Training — every new starter is briefed during onboarding and signs to confirm they have read the protocol; everyone refreshes it at a set interval, with short, practical reminders (a simulated phishing email beats an hour-long slideshow).
  • Enforcement — make clear that the rules apply to everyone, including leadership, and what happens when they are ignored. Pair consequences with a supportive culture, so honest mistakes are reported rather than buried.
  • Ownership and review — name a single owner responsible for keeping the protocol current, and set a review date (commonly every six to twelve months, and after any significant incident or change to how the organisation works).

Common mistakes to avoid

  • Writing it for auditors, not staff. A protocol crammed with formal standard wording is one nobody reads. Write for the receptionist and the new hire, in plain language.
  • No off-boarding step. Granting access carefully but never revoking it leaves a trail of live logins for former staff. Make the leaver checklist as firm as the joiner one.
  • Shared accounts and passwords. They feel convenient and they destroy accountability — when something goes wrong nobody can tell who did it.
  • A reporting channel nobody can find. If staff do not know exactly who to tell at 9pm on a Friday, incidents go unreported until they are expensive.
  • Punishing honest reports. Blaming the person who reports a mistake guarantees the next mistake stays hidden. Reward speed and honesty.
  • Treating it as write-once. An out-of-date protocol that still names a person who left two years ago signals that none of it is taken seriously. Assign an owner and a review date.

Required Sections

Purpose and Scope

What assets, systems, and threats this protocol governs

Required

Threat Landscape

Scoped risks and attack vectors this protocol mitigates

Required

Security Controls

Preventive, detective, and corrective safeguards in force

Required

Roles and Responsibilities

Who owns, enforces, and audits each control

Required

Monitoring and Detection

Ongoing surveillance methods and alerting thresholds

Required

Incident Response

Steps to classify, contain, and recover from breaches

Required

Compliance and Audit

Standards adherence and how conformance is verified

Required

Review and Updates

Triggers, cadence, and owners for protocol revision

Required

Optional Sections

Access Control Matrix

Permission grid mapping roles to specific resources

Optional

Exceptions Process

How to request, justify, and approve policy exceptions

Optional

Training Requirements

Mandatory security awareness and certification requirements

Optional

Frequently Asked Questions

What is the difference between a security protocol and a security policy?
A security policy is the short, high-level statement of intent — for example, 'we protect customer data and require multi-factor authentication.' A security protocol is the operational detail underneath it: the step-by-step rules and procedures people actually follow, such as how visitors are signed in, how passwords are set, and exactly who to call when a laptop goes missing. The policy says what the organisation stands for; the protocol tells each person what to do.
How is a security protocol different from a technical security plan?
A technical security plan describes how a specific system is engineered and configured to be secure — its encryption settings, access model, monitoring, and infrastructure. A security protocol is about people and everyday behaviour: acceptable use, password and device rules, physical access, and incident reporting across the whole organisation. The plan protects the system through configuration; the protocol protects the organisation through the procedures staff follow. The two work together and are usually maintained as separate documents.
What should a security protocol cover?
A practical protocol covers its purpose and scope, the roles and who is responsible, access-control rules (named accounts, least privilege, joiner and leaver steps), password and MFA and device rules, data handling and classification, physical security, a clear incident-reporting procedure, and a section on training, enforcement, and review. The aim is to span the three domains of physical, information, and personnel security in plain language that staff will actually read and act on.
Who is responsible for following a security protocol?
Everyone. A single named owner — often an operations lead, office manager, or a dedicated security role — keeps the protocol current and handles incidents, but the rules apply to every employee, contractor, and visitor, including leadership. Managers are responsible for briefing their teams and setting the example. Security only works when it is genuinely shared, which is why a good protocol names responsibilities clearly rather than leaving them to assumption.
How do I report a security incident?
Report it immediately through the single channel your protocol names — typically a phone number, an address, or a dedicated chat channel that is monitored at any hour. Do not try to hide or quietly fix the problem, and do not delete anything that could help assess what happened. A good protocol is explicitly no-blame: someone who reports their own phishing click within minutes has done exactly the right thing, because speed limits the damage. The named owner then triages, contains, fixes, and records what was learned.
How often should a security protocol be reviewed and refreshed?
Review the document itself on a set schedule — commonly every six to twelve months — and again after any significant incident or major change to how the organisation works, such as a move to remote work or a new system. Separately, refresh people's awareness regularly: brief every new starter during onboarding, have everyone re-read and acknowledge the protocol at least once a year, and run short, practical reminders such as simulated phishing tests. An owner with a fixed review date is what keeps a protocol from quietly going stale.

Ready to create your document?

Use our free template or generate a custom version tailored to your needs.

Use Free Template
Create your custom version — free to start

20 free credits on signup — no card needed

We recommend professional review for your specific situation.

Last reviewed: June 4, 2026