Governance reviews are standard practice for finance, HR and legal matters in most well-run businesses. IT and cyber governance rarely gets the same treatment. The result is that significant risks accumulate unnoticed until something goes wrong and the board asks why nobody flagged it earlier.

This post provides a practical annual IT governance checklist for SME boards. It is not a technical audit. It is a set of questions that a non-technical board member can ask and expect a clear, honest answer to. If the answers are not clear and honest, that is itself a finding worth acting on.

Section 1 – IT supplier and service delivery

Are we receiving regular, structured service reports from our IT supplier and are we reading them?

A service report that nobody reads is not governance. If your MSP sends a monthly report, someone on the leadership team should be reviewing it, understanding what it contains, and asking questions where the answers are not clear.

When did we last conduct a formal service review with our IT supplier?

A quarterly service review – a structured meeting with a documented agenda, agreed performance metrics and tracked actions, is the minimum standard for any significant IT supplier relationship. If the last formal review was more than six months ago, the relationship is being managed informally.

Are we confident our MSP contract still reflects how the business operates?

Businesses change. Contracts do not update themselves. If your headcount, systems, working practices or locations have changed significantly since the contract was signed, the scope may no longer be appropriate.

Do we know what our IT supplier is contractually obligated to deliver and are they delivering it?

Most SME leaders cannot answer this question accurately because they have never read the contract in detail. If you do not know what you are entitled to, you cannot identify when you are receiving less than that.

Section 2 – Cyber security

Do we know the three most likely ways our business could be compromised?

Phishing, business email compromise and ransomware via an unpatched system account for the majority of cyber incidents in UK SMEs. Your IT supplier should be able to tell you specifically which of these represent the most significant risk for a business of your type, size and sector.

When did we last test our backup and recovery process?

A backup that has never been tested is a backup you cannot rely on. Annual testing of the recovery process, not just confirmation that the backup is running, is a minimum standard.

Are all staff accounts and access permissions current?

This means leavers’ accounts fully deactivated, access permissions reviewed to ensure they reflect current roles, and administrator privileges limited to those who genuinely require them.

Do we hold Cyber Essentials certification and is it current?

Cyber Essentials certification lasts twelve months. If you hold it, when does it expire? If you do not hold it, is it required by any of your clients, insurers or contracts?

Section 3 – Data and compliance

Do we know what personal data we hold and where it lives?

UK GDPR requires you to know what personal data your organisation processes, where it is stored, who has access to it and how long you retain it. If you cannot answer these questions, your data register either does not exist or is not current.

Are all our key IT suppliers covered by Data Processing Agreements?

Where a supplier processes personal data on your behalf, cloud platforms, SaaS tools, your MSP, there should be a Data Processing Agreement in place. Most SMEs have not checked whether these exist for all relevant suppliers.

Do we have a documented process for responding to a data breach within 72 hours?

The ICO reporting obligation begins when you become aware that a breach may have occurred. Without a documented process, the 72-hour window will pass before you have even worked out who needs to be involved.

Section 4 – AI and emerging technology

Do we know which AI tools our staff are using for work purposes?

This includes tools they have adopted independently as well as those provided by the business. The answer is almost always more extensive than leadership expects.

Do we have an AI policy that defines acceptable use and data handling boundaries?

If staff are using AI tools without a policy in place, that use is ungoverned. An AI policy does not need to be lengthy, it needs to exist, be understood, and be enforced.

Section 5 – IT spend and value

Do we have a consolidated view of all IT spend across all suppliers and licences?

If nobody in the business can produce a complete list of IT suppliers, contracts, licences and associated costs within 48 hours, you do not have adequate visibility of your IT spend.

When did we last benchmark our IT costs against current market rates?

IT pricing – particularly connectivity, telephony and cloud services, changes significantly over time. A contract that represented good value three years ago may now be significantly above market.

Are there any IT contracts approaching renewal in the next six months?

Renewal windows – typically 30 to 90 days before contract expiry, are your highest-leverage moment for renegotiation. Missing them locks you in for another term at existing rates.

Using this checklist

Work through these questions annually as a board agenda item. Assign responsibility for providing answers to a specific person, ideally someone with independent IT oversight rather than the IT supplier themselves. Where answers are unclear, incomplete or absent, those are your priority actions for the following quarter.

If you do not have anyone in the business who can provide independent, informed answers to these questions, that is itself the most significant governance finding  and the one most worth addressing first.

← All Insights
← Previous Next →

More Insights

Supplier Management

The MSP Contract Renewal Playbook: How to Negotiate from Strength

Most SMEs accept their MSP's renewal offer without negotiation. This is almost always a commercial mistake. Here is how to approach contract renewal in a way that produces better terms, better service commitments and better value.

17 July 2026 · 4 min read
Cyber Risk

Business Email Compromise: The Cyber Threat Most SME Boards Have Never Heard Of

Ransomware gets the headlines. Business email compromise quietly costs UK businesses more money every year. Here is what it is, how it works, and why it is particularly dangerous for SMEs.

9 July 2026 · 4 min read
Cyber Essentials

Cyber Essentials Explained: A No-Nonsense Guide for UK SME Business Leaders

Cyber Essentials is the UK government-backed certification that more and more businesses are being asked to hold. Here's what it actually involves, how long it takes, what it costs, and whether you need CE or CE+.

23 June 2026 · 5 min read