Northstar IT & Cyber Advisory
  • About
  • Services
  • How We Help
    • Cyber Incident Response
    • M&A IT Due Diligence
    • Cyber Essentials
    • IT Spend Review
    • Fast Growth IT
    • Compliance Advisory
    • IT Supplier Failure
    • AI Strategy & Readiness
    • AI Governance & Policy
    • See all nine situations →
    • ⭐ Free Guide: Ten Questions
  • Insights
  • Get in Touch
Northstar IT & Cyber Advisory
  • About
  • Services
  • How We Help
  • Cyber Incident Response
  • M&A IT Due Diligence
  • Cyber Essentials
  • IT Spend Review
  • Fast Growth IT
  • Compliance Advisory
  • IT Supplier Failure
  • AI Strategy & Readiness
  • AI Governance & Policy
  • See all nine situations →
  • Free Guide: Ten Questions
  • Insights
  • FAQs
Get in Touch
cs@northstaritadvisory.com 0333 577 1714

Governance reviews are standard practice for finance, HR and legal matters in most well-run businesses. IT and cyber governance rarely gets the same treatment. The result is that significant risks accumulate unnoticed until something goes wrong and the board asks why nobody flagged it earlier.

This post provides a practical annual IT governance checklist for SME boards. It is not a technical audit. It is a set of questions that a non-technical board member can ask and expect a clear, honest answer to. If the answers are not clear and honest, that is itself a finding worth acting on.

Section 1 – IT supplier and service delivery

Are we receiving regular, structured service reports from our IT supplier and are we reading them?

A service report that nobody reads is not governance. If your MSP sends a monthly report, someone on the leadership team should be reviewing it, understanding what it contains, and asking questions where the answers are not clear.

When did we last conduct a formal service review with our IT supplier?

A quarterly service review – a structured meeting with a documented agenda, agreed performance metrics and tracked actions, is the minimum standard for any significant IT supplier relationship. If the last formal review was more than six months ago, the relationship is being managed informally.

Are we confident our MSP contract still reflects how the business operates?

Businesses change. Contracts do not update themselves. If your headcount, systems, working practices or locations have changed significantly since the contract was signed, the scope may no longer be appropriate.

Do we know what our IT supplier is contractually obligated to deliver and are they delivering it?

Most SME leaders cannot answer this question accurately because they have never read the contract in detail. If you do not know what you are entitled to, you cannot identify when you are receiving less than that.

Section 2 – Cyber security

Do we know the three most likely ways our business could be compromised?

Phishing, business email compromise and ransomware via an unpatched system account for the majority of cyber incidents in UK SMEs. Your IT supplier should be able to tell you specifically which of these represent the most significant risk for a business of your type, size and sector.

When did we last test our backup and recovery process?

A backup that has never been tested is a backup you cannot rely on. Annual testing of the recovery process, not just confirmation that the backup is running, is a minimum standard.

Are all staff accounts and access permissions current?

This means leavers’ accounts fully deactivated, access permissions reviewed to ensure they reflect current roles, and administrator privileges limited to those who genuinely require them.

Do we hold Cyber Essentials certification and is it current?

Cyber Essentials certification lasts twelve months. If you hold it, when does it expire? If you do not hold it, is it required by any of your clients, insurers or contracts?

Section 3 – Data and compliance

Do we know what personal data we hold and where it lives?

UK GDPR requires you to know what personal data your organisation processes, where it is stored, who has access to it and how long you retain it. If you cannot answer these questions, your data register either does not exist or is not current.

Are all our key IT suppliers covered by Data Processing Agreements?

Where a supplier processes personal data on your behalf, cloud platforms, SaaS tools, your MSP, there should be a Data Processing Agreement in place. Most SMEs have not checked whether these exist for all relevant suppliers.

Do we have a documented process for responding to a data breach within 72 hours?

The ICO reporting obligation begins when you become aware that a breach may have occurred. Without a documented process, the 72-hour window will pass before you have even worked out who needs to be involved.

Section 4 – AI and emerging technology

Do we know which AI tools our staff are using for work purposes?

This includes tools they have adopted independently as well as those provided by the business. The answer is almost always more extensive than leadership expects.

Do we have an AI policy that defines acceptable use and data handling boundaries?

If staff are using AI tools without a policy in place, that use is ungoverned. An AI policy does not need to be lengthy, it needs to exist, be understood, and be enforced.

Section 5 – IT spend and value

Do we have a consolidated view of all IT spend across all suppliers and licences?

If nobody in the business can produce a complete list of IT suppliers, contracts, licences and associated costs within 48 hours, you do not have adequate visibility of your IT spend.

When did we last benchmark our IT costs against current market rates?

IT pricing – particularly connectivity, telephony and cloud services, changes significantly over time. A contract that represented good value three years ago may now be significantly above market.

Are there any IT contracts approaching renewal in the next six months?

Renewal windows – typically 30 to 90 days before contract expiry, are your highest-leverage moment for renegotiation. Missing them locks you in for another term at existing rates.

Using this checklist

Work through these questions annually as a board agenda item. Assign responsibility for providing answers to a specific person, ideally someone with independent IT oversight rather than the IT supplier themselves. Where answers are unclear, incomplete or absent, those are your priority actions for the following quarter.

If you do not have anyone in the business who can provide independent, informed answers to these questions, that is itself the most significant governance finding  and the one most worth addressing first.

IT governance is one of those phrases that sounds corporate and abstract until the moment it becomes very real. A supplier goes offline and nobody knows who the contract is with. A key employee leaves and takes their access credentials with them. A cyber insurer declines a claim because there was no documented security policy. A client audit reveals your data handling practices don’t meet their requirements.

These are governance failures. And they happen to small businesses every day.

What IT governance actually means

IT governance is simply the set of policies, processes and oversight mechanisms that ensure your IT systems and technology investments are aligned with your business objectives, managed responsibly, and operating within acceptable risk parameters.

For a large enterprise, that might mean a formal IT governance framework, a dedicated CIO, and quarterly board-level reporting. For a 30-person professional services firm, it means something more proportionate – but the principles are identical.

Good IT governance for an SME covers:

– **Strategic alignment** – are your technology investments actually supporting what the business is trying to do?

– **Risk management** – do you understand the operational and cyber risks associated with your IT systems?

– **Supplier oversight** – are your IT suppliers performing to the standard your contracts require?

– **Compliance** – are you meeting your legal and regulatory obligations around data, security and continuity?

– **Value** – are you getting appropriate return on your IT spend?

Why most SMEs have a governance gap

The honest answer is structural. In most businesses below 50 or 100 people, there is no single person with both the technical understanding to evaluate IT decisions and the seniority to challenge suppliers, set policy and report to the board.

The MD is focused on the business. The Finance Director trusts that IT costs are reasonable. The Office Manager coordinates with the MSP on day-to-day issues. And the MSP – however capable – is not paid to govern. They are paid to keep things running.

The result is a gap between IT delivery and IT leadership. Nobody is asking whether the technology strategy is right. Nobody is challenging the supplier contract at renewal. Nobody is reporting cyber risk to the board in terms the board can act on.

This gap is invisible until it becomes a problem.

The signs that your IT governance needs attention

You may have a governance gap if:

– You are not sure exactly what IT systems and licences your business is paying for

– Your MSP contract has not been reviewed in more than two years

– You have no documented IT security policy

– Leavers’ system access is not removed consistently and promptly

– You have never tested your backup and recovery process

– Your board has no visibility of IT or cyber risk beyond “it’s being handled”

– You don’t know which systems contain personal data or how it is protected

None of these is a crisis in isolation. Collectively, they represent significant operational and commercial exposure.

How right IT governance looks like for an SME

Good governance does not require a large investment or a complex framework. For most SMEs, it means:

**Clear ownership** – someone is responsible for IT and cyber oversight at a senior level. In a small business, this is often best handled fractionally – a part-time IT director who attends board meetings, reviews suppliers and reports on risk, without the cost of a full-time hire.

**Basic documentation** – an IT security policy, an acceptable use policy, and a data register. These do not need to be lengthy documents. They need to exist, be accurate, and be reviewed annually.

**Supplier accountability** – regular service reviews with your MSP, performance metrics that are actually tracked, and contracts that are reviewed before automatic renewal.

**Risk visibility** – the board receives a brief, plain-English update on IT and cyber risk at least quarterly. They understand what the key risks are and what is being done about them.

**Incident readiness** – there is a basic plan for what happens if something goes wrong. Who do you call? What do you communicate to clients? What are the regulatory obligations?

The commercial case for better governance

IT governance is not a compliance exercise. It is a commercial discipline. Businesses with good IT governance:

– Spend less on technology, because spend is reviewed and challenged

– Recover faster from incidents, because plans exist

– Win more contracts, because they can demonstrate security and compliance

– Pay lower cyber insurance premiums, because their risk profile is better

– Attract better talent, because their systems and processes work properly

For a business of 20 to 100 people, the return on investment in proper IT governance is typically significant and measurable within twelve months.

© 2026 Northstar IT & Cyber Advisory Limited. Company registered in England & Wales. Company No. 17038464. About What We Do How We Help Insights FAQs Free Guide Privacy PolicyCookie PolicyTerms & ConditionsAccessibility
Fractional IT & Cyber Leadership for UK SMBs & SMEs