Essential HR Policies for Indian Companies (2026)
The essential HR policies every Indian company needs in 2026: a stage-wise checklist, what each policy must contain, rollout steps and review cadence.
HR Policies for Indian Companies: The Essential 2026 Checklist
HR policies for Indian companies tend to get written in one of two ways: proactively, as a foundation laid while the company is calm — or reactively, the week after an incident that a policy would have prevented. The second way is always more expensive. A harassment complaint with no POSH framework in place, a termination with no documented discipline process, a data leak with no acceptable-use policy to point to: each of these turns a manageable situation into a crisis precisely because the rules were never written down.
This guide is a complete 2026 checklist of HR policies for Indian companies — what each essential policy is for, what it must contain, the mistakes that hollow policies out, and a step-by-step process for drafting, approving, rolling out, and maintaining them. It is written for HR managers, founders, and operations leads at startups and SMBs in India.
One framing note before the list: some policies are effectively mandated or shaped by law (POSH is the clearest example, and leave rules are heavily conditioned by state-specific shops and establishments legislation), while others are purely good governance. Statutory details vary by state and change over time — treat the legal references here as general orientation and verify current requirements for your states of operation, ideally with counsel.
Why Written Policies Matter — Especially for SMBs
Founders sometimes resist policy-writing as premature bureaucracy. The case for writing things down early is practical, not bureaucratic:
- Consistency is fairness. Unwritten rules get applied differently to different people, and inconsistency — not strictness — is what employees experience as injustice.
- Policies scale judgment. At 15 people, the founder decides every edge case. At 150, fifteen managers decide them — identically only if the rule is written.
- Documentation is protection. Disciplinary actions, terminations, and disputes are defensible in proportion to the documented process behind them.
- Diligence demands it. Investors, enterprise customers, and certification audits all ask for the policy folder. An empty one costs deals.
- Onboarding accelerates. A clear handbook answers in one read what would otherwise consume months of corridor questions.
The counterweight is real too: policies that exist only to forbid things, written in legalese nobody reads, create compliance theatre. The goal is a small set of clear, enforced policies — not a thick binder of ignored ones.
The Essential Policy Checklist by Company Stage
| Policy | <20 employees | 20–100 | 100+ | Statutory linkage |
|---|---|---|---|---|
| Code of conduct | Recommended | Essential | Essential | Indirect |
| Leave & attendance | Essential | Essential | Essential | Strong (state S&E acts) |
| POSH (sexual harassment) | Essential* | Essential | Essential | Mandatory elements (IC at 10+) |
| Compensation & payroll | Recommended | Essential | Essential | Strong |
| Work hours, remote & hybrid | Recommended | Essential | Essential | Moderate |
| IT, data security & acceptable use | Recommended | Essential | Essential | Growing (data protection law) |
| Confidentiality & IP | Essential | Essential | Essential | Contractual |
| Probation & confirmation | Recommended | Essential | Essential | Contractual |
| Grievance redressal | Recommended | Essential | Essential | Moderate; strengthens under labour codes |
| Performance & discipline | Recommended | Essential | Essential | Important for disputes |
| Expense & travel | Optional | Recommended | Essential | Tax linkage |
| Equal opportunity & anti-discrimination | Recommended | Recommended | Essential | Moderate |
| Social media | Optional | Recommended | Essential | Indirect |
| Exit & offboarding | Recommended | Essential | Essential | Strong (FnF, gratuity) |
| Whistleblower | Optional | Recommended | Essential | Required for some entities |
*POSH obligations — including constituting an Internal Committee once an establishment has 10 or more employees — apply regardless of how young the company is.
The Core Policies, One by One
Code of conduct
Purpose. The umbrella statement of expected behaviour: integrity, respect, conflicts of interest, gifts, workplace behaviour, and consequences.
What to include. Scope (who it covers — employees, contractors, interns); core behavioural standards with concrete examples; conflict-of-interest disclosure rules; anti-bribery expectations; how violations are reported and handled.
Pitfalls. Vague virtue language with no examples; consequences described but never applied; covering employees but ignoring contractors and vendors who work alongside them.
Leave and attendance policy
Purpose. Defines leave types, entitlements, accrual, approvals, and how attendance is recorded — the single most-consulted policy in any company.
What to include. Leave types (earned/privilege, casual, sick, maternity and paternity, bereavement, compensatory off, leave without pay) with entitlements and accrual rules; carry-forward and encashment; holiday calendar approach (including any optional/floating holidays); application and approval workflow with notice expectations; attendance recording method and grace rules; treatment of late arrivals and half-days.
Statutory note. Leave entitlements are heavily shaped by state shops and establishments acts and, for factories, the Factories Act; maternity benefits are governed by the Maternity Benefit Act. Set your policy at or above the applicable floor for each state where you employ people, and revisit when you expand into new states.
Pitfalls. Copying another company's numbers without checking your states' floors; encashment rules that surprise finance at exit; sandwich-leave rules so punitive they breed resentment; policy and HRMS configuration that disagree.
POSH policy (prevention of sexual harassment)
Purpose. Compliance with the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 — and beyond compliance, a workplace where harassment is genuinely addressed.
What to include. Definition of sexual harassment with illustrations as per the Act; the Internal Committee's composition (including the external member and presiding officer requirements), tenure, and contact details; complaint procedure, timelines, and the inquiry process in plain language; interim measures available to complainants; confidentiality obligations; protection against retaliation; consequences; annual training and reporting commitments.
Statutory note. Constituting an Internal Committee is mandatory once an establishment has 10 or more employees; annual reports and training obligations apply. Non-compliance carries penalties and — far worse — guarantees that any incident becomes institutionally catastrophic. Verify current procedural requirements; this area sees active judicial and administrative attention.
Pitfalls. An IC that exists on paper with members nobody can name; no external member; treating training as a one-time checkbox; policies that quote the statute verbatim but give no practical guidance on how to actually complain.
Compensation and payroll policy
Purpose. How pay is structured, processed, and revised — the operational companion to every offer letter.
What to include. Salary structure components and what CTC includes; pay date and what happens when it falls on a holiday; statutory deductions overview (PF, ESI, professional tax, TDS); reimbursement claims process and deadlines; advance/loan policy if any; increment cycle and process; variable pay and incentive rules; payslip access; how payroll errors are reported and corrected.
Pitfalls. Variable pay described in offers but governed nowhere; no error-correction protocol (every payroll mistake then becomes a negotiation); silence on recovery of excess payments and notice-period dues.
Work hours, remote and hybrid work policy
Purpose. When and where work happens, and the rules that keep flexible work fair and compliant.
What to include. Standard working hours, weekly offs, and overtime approach (with statutory overtime rules applying to covered categories); hybrid norms — anchor days, core hours, response expectations; remote work eligibility by role; workspace, internet, and equipment provisions; data security expectations when remote; moonlighting/dual-employment stance; right-to-disconnect norms if you choose to adopt them.
Pitfalls. Hybrid rules enforced for juniors and ignored for leadership (the fastest way to kill a policy's credibility); no clarity on who pays for what at home; ignoring that state laws still govern working hours even for remote employees.
IT, data security and acceptable use policy
Purpose. Protecting systems, data, and the company's legal position in a world of phishing, leaks, and now AI tools.
What to include. Acceptable use of company devices, email, and networks; password/MFA and device security requirements; data classification basics and handling rules for customer and employee data; BYOD rules if permitted; approved software and the process for new tools; generative AI usage rules — what data may never be pasted into external tools, which tools are approved; incident reporting (what to do in the first hour after a suspected breach); monitoring disclosure, stated honestly; consequences.
Statutory note. India's data protection regime (the DPDP Act and its evolving rules) raises the stakes for employee and customer data handling. Align this policy with your privacy obligations and verify current rule status.
Pitfalls. Banning everything and driving usage underground; no AI clause in 2026; monitoring employees without telling them; an incident process nobody has rehearsed.
Confidentiality and intellectual property policy
Purpose. Ensuring company information stays protected and work product belongs to the company.
What to include. Definition of confidential information; obligations during and after employment; IP assignment language (typically reinforced in employment contracts); handling of prior inventions; open-source contribution rules for tech teams; exit obligations — return of data and devices.
Pitfalls. Relying on the policy instead of contract clauses (use both); IP language so broad it claims employees' unrelated personal projects, which courts and candidates both dislike; no practical exit checklist enforcing the return obligations.
Probation and confirmation policy
Purpose. A defined runway to assess new hires, with honest mechanics for confirmation, extension, or exit.
What to include. Probation duration and what it means practically; performance expectations and check-in cadence during probation; confirmation process and communication; extension rules (duration, maximum, communication); notice periods during probation vs after confirmation; benefits applicability during probation.
Pitfalls. Auto-confirmation by silence (decide deliberately whether confirmation is automatic or requires positive action — and say so); probation used as an excuse to skip feedback; extensions repeated indefinitely instead of decisions being made.
Performance and disciplinary policy
Purpose. How performance is managed and how misconduct is addressed — the policy that protects both fairness and the company's ability to act.
What to include. Performance review framework reference; the improvement path (feedback → documented warning → PIP → consequences); misconduct categories with examples — minor vs major/gross; the disciplinary process: show-cause, inquiry where warranted, representation, decision, appeal; suspension provisions; documentation standards at every step.
Statutory note. For workers covered by standing orders or industrial employment law, disciplinary procedures have specific legal requirements; "misconduct" definitions and natural-justice principles matter in disputes. Take advice when drafting and when acting.
Pitfalls. Skipping steps when angry — the documented process only protects you if you follow it; punishing performance issues through the misconduct track; warnings that live in managers' inboxes instead of personnel files.
Grievance redressal policy
Purpose. A safe, predictable channel for employees to raise workplace concerns — pay disputes, manager conflicts, unfair treatment — and get answers.
What to include. What counts as a grievance; how to raise one (named channels, including a route that bypasses one's manager); acknowledgment and resolution timelines; escalation ladder; confidentiality commitments; anti-retaliation assurance; record-keeping.
Pitfalls. A formal channel nobody trusts because the first user got burned; no timeline commitments; grievances against senior leaders with no defined alternate route.
Expense and travel policy
Purpose. What the company pays for, at what limits, with what proof.
What to include. Eligible expense categories and grade-wise limits; booking norms (advance booking, approved channels); per-diems vs actuals; claim submission process, deadlines, and proof requirements; advances and settlement; non-reimbursable items stated bluntly; tax-related documentation where relevant.
Pitfalls. Limits set once and eroded by inflation into universal exception-seeking; approval chains longer than the trips; reimbursement so slow employees become unwilling lenders to their employer.
Equal opportunity and anti-discrimination policy
Purpose. A stated commitment that hiring, pay, promotion, and treatment are merit-based, with protected characteristics named and complaint routes defined.
What to include. Protected grounds (gender, religion, caste, disability, age, marital status, sexual orientation — informed by constitutional values and specific statutes such as disability and HIV-related law, plus the transgender persons legislation); applicability across the employment lifecycle; reasonable accommodation approach for disability; complaint route (typically the grievance channel, with POSH handling its specific domain).
Pitfalls. A statement page with no operational teeth — no accommodation process, no complaint route, no training.
Social media policy
Purpose. Guidance for employees' public expression where it touches the company.
What to include. Who may speak for the company officially; the personal-opinions disclaimer norm; confidentiality red lines (product plans, customer names, financials); respectful-conduct expectations when identifiable as an employee; what to do when journalists or trolls come calling.
Pitfalls. Trying to govern employees' entire online lives — keep the scope to company-related speech, or lose both enforceability and goodwill.
Exit and offboarding policy
Purpose. A predictable, dignified end of employment that protects both sides.
What to include. Resignation process and notice periods; notice buyout and recovery rules; garden-leave provisions if used; handover expectations; asset and access return checklist; exit interview; full-and-final settlement components and timeline commitments; gratuity and leave encashment treatment; experience and relieving letters; references policy; alumni data retention.
Statutory note. FnF timelines, gratuity eligibility, and encashment carry statutory dimensions, and the labour codes (when fully enforced) tighten settlement timelines. Pay attention here — exit is where most employment disputes are born.
Pitfalls. FnF taking months and converting every leaver into a public critic; relieving letters used as leverage in disputes; access disabled too late (security risk) or too abruptly (humiliation).
Whistleblower policy
Purpose. A protected channel for reporting serious wrongdoing — fraud, corruption, safety, legal violations — distinct from everyday grievances.
What to include. Scope of reportable matters; reporting channels including an anonymous option; the investigation commitment; explicit anti-retaliation protections; consequences for bad-faith complaints (worded so as not to chill honest ones); governance — who oversees, how findings are reported.
Statutory note. Certain companies (notably listed entities and prescribed classes under company law) have vigil mechanism obligations. For everyone else, it is governance maturity that diligence processes increasingly expect.
A Reusable Policy Structure Template
Consistency of format is half of readability. Use the same skeleton for every policy:
- Title, version, owner, effective date — the header block that makes governance auditable.
- Purpose — two or three sentences on why this policy exists.
- Scope — exactly who is covered: employees, probationers, interns, contractors, consultants; which locations and entities.
- Definitions — every term that could be argued about ("workplace", "immediate family", "company data").
- Policy statements — the rules themselves, numbered, one rule per clause, with examples for anything abstract.
- Process — how to apply for / claim / report / escalate, with named roles and timelines.
- Consequences — what happens on violation, by severity.
- Exceptions — who can approve deviations and how they are recorded. An exception process you control beats exceptions that happen anyway, undocumented.
- Related policies and laws — cross-references so readers find the full picture.
- Version history — what changed, when, and why.
Two writing disciplines elevate any policy drafted on this skeleton. Write rules as obligations with subjects — "Employees must submit claims within 30 days" rather than "claims should ideally be timely" — because vague modality ("should", "may", "endeavour") creates arguments, not compliance. And put examples beside every rule that could be misread: a code of conduct clause on conflicts of interest means little until it says "for example, hiring a relative's firm as a vendor without disclosure".
Sample clause outline: leave application
Process — applying for earned leave. 1. Apply through the HRMS at least 7 calendar days before the start date for leave of 3+ days; 1 working day for shorter leave. 2. The reporting manager approves or declines within 2 working days; non-response auto-escalates to the next approver. 3. Leave conflicting with a declared business-critical window may be declined with reasons; alternatives must be offered within the same quarter. 4. Unapproved absence is treated as leave without pay and may invite disciplinary process under [Discipline Policy].
Four numbered clauses, every actor named, every timeline explicit, the cross-reference in place — that is the texture an enforceable policy needs.
How to Draft and Roll Out a Policy: A Step-by-Step Process
- Identify the need and the owner. Every policy gets one accountable owner (usually HR, sometimes IT or finance).
- Research the floor. Statutory minimums in every state you operate, plus industry norms. Your policy can exceed the floor; it cannot dip below it.
- Draft in plain language. Short sentences, defined terms, concrete examples. The reading level should suit every employee it covers, not the lawyer who reviews it. Structure each policy identically: purpose → scope → policy detail → process → consequences → exceptions → effective date and version.
- Stress-test with scenarios. Take five real situations from the past year and check the draft answers them. Policies fail at edge cases, and edge cases are findable in advance.
- Legal review where it matters. POSH, discipline, exit, IT/data, and anything statutory deserve counsel's eyes. A few hours of review is cheap insurance.
- Approve formally. Defined approver (founder/CHRO/board as appropriate), recorded approval, version number, effective date.
- Communicate like you mean it. Not just an email with nine attachments: a short note on what is changing and why, manager briefings for policies they must enforce, and a town-hall slot for anything significant.
- Collect acknowledgments. Every employee confirms reading — digitally, with a timestamp. Acknowledgment is what converts "we have a policy" into "everyone was on notice", which matters enormously in any later dispute.
- Train where reading isn't enough. POSH requires it; data security and discipline benefit hugely from it.
- File and version. One canonical repository; superseded versions archived, not deleted — disputes are judged against the policy in force at the time.
Keeping Policies Alive: Review Cadence and Triggers
| Review trigger | Policies affected | Typical action |
|---|---|---|
| Annual scheduled review | All | Refresh limits, contacts, examples; reconfirm legal floor |
| New state of operation | Leave, hours, payroll | Align to that state's S&E act, PT, LWF |
| Labour codes enforcement | Leave, hours, pay, exit, grievance | Structured re-baselining of affected policies |
| Data protection rule changes | IT/data, exit, recruitment | Update consent, retention, breach process |
| Headcount thresholds crossed | POSH (IC), bonus, ESI/PF, standing orders | Constitute bodies, extend coverage |
| Incident or near-miss | Whichever failed | Post-mortem, targeted amendment |
| New tools or work models | IT/AI, remote, social media | Add rules before habits harden |
Two habits make the difference between living policies and shelfware. First, a standing annual review in the compliance calendar, with the owner reporting what changed. Second, version discipline: every change logged with date and rationale, every re-acknowledgment tracked.
Digitising Policies in an HRMS
Paper policies acknowledged at joining and never seen again are barely better than no policies. An HRMS changes the mechanics:
- One source of truth — current versions in a policy library every employee can search, instead of folklore and outdated PDFs.
- E-acknowledgment with audit trails — who read what version, when; automated chasing of the unacknowledged; re-acknowledgment campaigns when policies change.
- Policy-aware workflows — the leave policy enforced by the leave module's accrual and approval rules; the expense policy enforced by claim limits in the system; probation timelines tracked with automatic confirmation alerts.
- Targeted distribution — state-specific or role-specific policies reaching exactly the right population.
- Evidence on demand — when an auditor, investor, or lawyer asks, the acknowledgment report is a click, not an archaeology project.
The quiet benefit is cultural: when the system itself behaves according to policy, employees stop experiencing policies as documents and start experiencing them as how the company simply works.
Common Mistakes with HR Policies
- Copy-pasting templates from the internet with another company's (or another country's) rules still inside.
- Writing for lawyers, not employees — unread policies protect no one.
- Policy–practice gaps — the handbook says one thing, managers do another; in disputes, the gap hurts more than silence.
- No acknowledgment records, making "they knew the rule" unprovable.
- Forgetting the states — one leave policy applied across five states with five different floors.
- No POSH committee despite crossing ten employees — the single most common, most serious SMB compliance gap.
- Never updating — AI tools, hybrid work, and data protection law have all moved; policies written before them are part fiction.
- Enforcing selectively — the senior exception that converts a policy into a grievance generator.
- Having too many — fifty policies nobody can navigate instead of fifteen that everyone knows.
Frequently Asked Questions
Which HR policies are legally mandatory in India?
The clearest mandatory element is the POSH framework — policy, Internal Committee (at 10+ employees), training, and annual reporting. Beyond that, statutes effectively force written clarity on leave, working hours, wages, and certain disciplinary procedures (especially where standing orders apply), with specifics varying by state and establishment type. Treat the rest as governance essentials. Verify current requirements for your states; this is general orientation, not legal advice.
How many policies does a 50-person company actually need?
Around twelve to fifteen well-maintained policies cover the essentials: code of conduct, leave and attendance, POSH, payroll and compensation, work hours/hybrid, IT and data security, confidentiality and IP, probation, performance and discipline, grievance, expenses, exit, plus equal opportunity and social media as the team grows. Better fewer and enforced than many and ignored.
What is the difference between an employee handbook and HR policies?
Policies are the individual governing documents, each with an owner, version, and approval. The handbook is the readable compilation — often summarised — given to employees for orientation. Best practice: handbook for accessibility, full policies as the authoritative versions, with the handbook explicitly deferring to them.
Do policies apply to contractors and interns?
Only if you make them apply. Define scope explicitly in each policy and mirror key obligations (conduct, confidentiality, IT security, POSH protections) in contractor agreements and intern letters. Workplace safety and harassment protections should cover everyone present in your workplace regardless of employment status.
How do we handle employees in multiple states with different leave laws?
Two common approaches: a single national policy set at or above the most generous applicable floor (simpler, slightly costlier), or state-wise annexures to one master policy (precise, more administration). Either way, map each state's shops and establishments requirements first, and configure your HRMS leave rules per state of work.
Can we change a policy that employees have already acknowledged?
Yes — policies are generally company-issued and amendable, provided changes don't breach contractual promises or statutory floors and are communicated prospectively with fresh acknowledgment. Significant changes to compensation-linked or contractual terms may need consent, not just notice. When in doubt, take advice before, not after.
What should we do first if we have no policies at all?
Sequence by risk: POSH framework first (it is mandatory and incident-sensitive), then leave/attendance and payroll (daily-use, statutory), then IT/data security and confidentiality (protects the business), then discipline, grievance, probation, and exit. A focused effort gets the essential set drafted, reviewed, and acknowledged within a quarter.
How often should policies be reviewed?
A scheduled annual review of everything, plus event-driven reviews on triggers: entering a new state, crossing headcount thresholds, labour code or data protection developments, incidents, and new work models or tools. Log every version with dates — disputes are judged against the version in force at the time.
Conclusion
A strong policy framework is not a binder — it is a small set of clear rules, written in plain language, matched to the law of every state you operate in, acknowledged by every employee, enforced without exceptions, and reviewed when the world changes. Companies that build this early spend their energy on growth instead of on incidents; companies that defer it eventually write the same policies anyway, under worse circumstances. If you want your policies to live where work happens — distributed digitally, acknowledged with audit trails, and enforced by the same system that runs leave, attendance, payroll, and exits — CozyHR makes that part simple; you can explore it at cozyhr.com.
This article provides general information, not legal advice. Statutory requirements vary by state and change over time — verify current laws for your establishments and consult qualified counsel for specific situations.