Many small businesses begin with simple basics: a plan for administration, sales, technology, customer service, and maybe some marketing. Of all of these, technology is quickest to change while also carrying the highest risk.

As companies grow, though, they often overlook the changing business requirements, security risks, and staff needs that put pressure on IT. This is when the SURPRISE! IT expenses appear to come out of nowhere. In reality, they don’t magically appear. They’re a direct result of not keeping IT needs in focus as the company decides to invest in sales or upgrade their administration processes.

While we wish we could spell out every specific item that IT should be responsible for, this list provides a general overview of the most critical areas that all small businesses need to keep their eye on, as well as important questions that should be revisited regularly.

Primary IT Focus Areas

  1. Hardware & Software
  2. Cybersecurity
  3. Bring Your Own Device (BYOD) Policy
  4. Data Backup
  5. IT Training

Hardware & Software

When creating a checklist for hardware/software purchase, use, installation, and upgrade, answer the following questions:

  1. How do you determine what hardware/software is needed? Is it led by business requirements, staff needs, or a combination of both? It’s important to be clear about which areas are led by which requirements so it’s easier to check spending down the line.
  2. Who is responsible for installation of new and replacement hardware and software? Incorrect installation can end up resulting in lost time as well as lost money. And faulty hardware installation can also mess up new hardware that you bring on later.
  3. What is the process for procuring new hardware and software? Do you have regular vendors or partners who you approach, or do you start looking for a suitable one once the requirement arises?
  4. What is your policy for operating systems? Not all hardware/software is compatible with all operating systems. For example, do you only allow PCs or Macs or both?
  5. Who is responsible for updates, security patches, and upgrades? How often must these be conducted and what is your minimum requirement in terms of how far behind a machine or software can be?
  6. Who is responsible for approving new user requirements? And who is responsible for installing them?


Cybersecurity policies can help reduce incidences of cybersecurity breach due to a lapse of judgment from your employees. They should include:

  1. Create and implement a password policy that you require your staff to adhere to. Clearly define password hygiene; acceptable password examples; password sharing, reuse, and update rules, etc.
  2. List the requirements and activities that happen when a new employee is onboarded or when there is a role change. Explain who is responsible for the set up and execution of appropriate access as well as what kind of access is granted to which types of roles.
  3. Explain the rules and regulations around someone quitting your organization. Be specific about how to correctly remove a user from the network, change passwords, limit access, and when these activities are executed.
  4. Include policies for data sharing, such as which data can be shared, when and by whom, who has access (including external persons), the level of data access rights, etc.
  5. Spell out your cybersecurity breach plan. Whether you like to admit it or not, there’s a good chance you’ll experience one. Write out who to contact, how to quarantine the affected systems, what steps are to be taken from the legal perspective (disclosure of the breach, data security violation penalties, and so on…) how to prevent such future events, etc.
  6. Don’t forget to include the physical aspect of security. Establish rules and regulations for the physical access of data, such as who has access to your servers or workstations that access sensitive data.

Bring Your Own Device (BYOD) Policy

Simply for the sake of higher productivity, many companies allow their employees to use their own devices for work purposes, like their cell phone or laptop. Your BYOD checklist should answer questions like:

  1. Who is allowed to bring their devices to work? Some departments that deal with sensitive data—like HR for example—may not be allowed to do so.
  2. What kind of devices are allowed/approved? For example, you can specify minimum OS versions that are allowed, since outdated versions can expose your entire network to security threats.
  3. Who is responsible for tracking these devices and ensuring that necessary security patches and anti-malware protection is up to date?

Data Backup

Data backup is the key to ensuring your data is not lost no matter what the issue. Your data backups checklist should cover at a minimum:

  1. Defining the different data sets that need to be backed up and their specific locations.
  2. How often each of those data sets need to be backed up and listing if they are done automatically or manually.
  3. Where the data backup will occur and be held.
  4. How the data backup will be initiated.
  5. Who is responsible for the data backup and monitoring for any issues or breaks.

IT Training

Everyone—and yes, we mean everyone—in your company needs IT training. An IT training checklist serves as a good process document for any new staff or for anyone working on new hardware or software. Following the IT training checklist can help reduce the learning curve and ensure the hardware/software is optimized. Here are the basics of what an IT training checklist should include:

  1. Rules and regulations regarding software and hardware use.
  2. Training programs and schedules for each hardware and software that the employee is responsible for using.
  3. Links to user manuals/instruction videos for the software and hardware.
  4. Contact information for the person or team responsible for troubleshooting IT-related issues.
  5. Contact information for the person or team responsible if there’s a suspected cybersecurity breach.
  6. Contact information for role responsible to assess new IT hardware and software requests.

You Have to Start Somewhere

Having these checklists/policy documents doesn’t guarantee that your IT infrastructure is always safe and secure and never suffers downtime. These checklists are the tip of the iceberg, but if implemented, they can do a lot to cut down instances of security issues and increase the opportunity for uptime and better productivity.

If you’re unsure how to get started or how to improve what you already have, talking to a Managed Services Provider can make sure your checklist is completely comprehensive while taking the least amount of time to implement as possible. If you’d like to discuss yours, just contact us. We have templates and discovery processes that ensure yours covers everything your business needs.