IT Onboarding: Checklist and Process Guide

Every onboarding guide for IT setup starts the same way: "The IT department should provision accounts, configure devices, and brief the new hire on security policies." That is useful advice if you have an IT department. At a 20-person company, the person reading that sentence is also the CEO, the office manager, and the de facto IT department.

This guide is written for that person. The IT onboarding process here runs in three phases, takes less than two hours of active time spread across the week before and the week of a new hire's start date, and does not require any enterprise tools or technical expertise. It just requires doing the right things in the right order. FirstHR is built to automate the task tracking and document signing that makes this process run without reminders.

What Is IT Onboarding?

IT onboarding is the process of setting up technology, devices, software accounts, and system access for new employees before and during their first days at work. It includes hardware provisioning, account creation, security training, and access verification to ensure new hires can be productive from Day 1.

IT onboarding is a specific track within the broader employee onboarding process. General onboarding spans 90 days and covers culture, role expectations, team relationships, and performance milestones. IT onboarding is primarily a Day 1 and Week 1 activity. Both tracks run simultaneously, which is why combining them in a single workflow prevents the technology setup from being treated as an afterthought after the "real" onboarding is done.

Why IT Onboarding Matters for Small Businesses

Only 12% of employees say their company onboards well (Gallup), and a broken IT setup on Day 1 is one of the most visible signals that your company is in that 88%. A new hire who cannot access their email, the project management tool, or the shared drive on Day 1 wastes their own time and signals to the team that the company is disorganized. That signal is hard to walk back. Research from SHRM shows that employees who experience poor onboarding are significantly more likely to leave within the first 90 days.

For small businesses, the IT onboarding failure mode is almost always the same: accounts are created reactively on Day 1 instead of proactively before it. The new hire arrives, and someone scrambles to create an email, request tool access, and find a device. The setup takes three hours instead of ninety minutes, and the new hire spends their first day watching someone else manage IT tickets.

The ripple effects go further than the first morning. A new hire who spends Day 1 waiting for access forms an impression of organizational competence that shapes how they interpret everything that follows. If the first signal is chaos, they apply a chaos lens to the next ambiguous situation, the unclear process, the unresponsive manager. First impressions in onboarding are not just about feelings. They set the interpretive frame the new hire uses for their entire first 90 days.

IT onboarding also creates a security baseline from day one. Every new employee represents a new attack surface: a new set of credentials, a new device on your network, a new person who can be targeted by phishing. The 15-minute security briefing during IT onboarding is when you close that surface before it becomes a liability. Most small business security incidents are not sophisticated attacks. They are basic credential compromises that a 2FA requirement would have prevented.

IT onboarding also matters for security. Verizon's Data Breach Investigations Report consistently shows that compromised credentials are the leading cause of data breaches. A new employee who has never been briefed on phishing, who reuses passwords across personal and company accounts, and who has not enabled 2FA is a security risk from Day 1. The briefing takes fifteen minutes. The breach it prevents can cost far more than a small business can absorb.

The Complete IT Onboarding Checklist

This three-phase checklist covers everything from pre-boarding account creation through Week 1 verification. Every item has a clear action and can be completed by a non-technical person. For the broader onboarding context this checklist fits into, see the complete employee onboarding checklist for small businesses.

The most important design principle in this checklist: every item is a concrete action, not a category. "Set up accounts" is not a checklist item. "Create email address in Google Workspace admin panel" is. The specificity is what makes the checklist executable by whoever is running IT onboarding that week, whether it is you or someone you delegated to.

One addition worth making to your checklist: a verification column. After each item is completed, the owner marks it done and the new hire confirms they can access that tool. This two-step confirmation catches the setup errors that only become visible when someone actually tries to log in: wrong email domain, permissions set too low, accounts provisioned in the wrong workspace. Catching these on Day 1 takes two minutes. Catching them on Day 3 when the new hire realizes they cannot access a critical system wastes hours.

How to Run IT Onboarding Without an IT Department

Every IT onboarding guide assumes you have an IT team. You do not. Here is how to run the same process when you are the IT department, the HR department, and the person who also has seven other things to do this week.

The single most important shift in mindset: IT onboarding is a pre-boarding task, not a Day 1 task. By the time the new hire walks in, everything should already be created and waiting. Day 1 is for setup and handover, not for creation and provisioning. That distinction is the difference between a new hire who is productive by noon on Day 1 and one who watches you manage support tickets for three hours.

The Small Business IT Tool Stack

Enterprise IT guides recommend MDM platforms, IAM solutions, and SSO configurations. Most of those tools are overkill for a 15-person company and require technical expertise to configure. Here is the typical tool stack for a small business and the account setup that needs to happen for each category.

For developer or technical hires, the tool stack expands to include version control, development environments, and deployment tools. The developer onboarding guide covers that specific setup process separately.

A note on tool sprawl: small businesses accumulate tools faster than they document them. If you have not recently audited your tool stack, the IT onboarding process is a good forcing function. Before each new hire, run through every tool the company uses and confirm it belongs on the account creation list. Tools that nobody remembers using are tools that are paying for unused seats and creating unnecessary attack surface. Prune the list while you update it.

IT Security Basics Every New Hire Should Know

A fifteen-minute security briefing on Day 1 is one of the highest-ROI activities in IT onboarding. Most small business data incidents trace back to compromised credentials or a successful phishing attack, both of which are preventable with basic training. You do not need a security consultant to run this briefing. You need to cover four topics and have the new hire acknowledge them.

The security briefing should end with a signed acknowledgment, even if it is a simple "I have read and understood the IT security requirements" checkbox on the IT policy form. Acknowledgment signals that the rules are real and creates a record that the briefing occurred. This matters if an incident does happen and questions arise about what training the employee received.

For small businesses, the highest-priority security items in order are: 2FA on company email first (email is the master key to every other account), then 2FA on any financial tools, then password manager setup, then the phishing briefing. If you run out of time on Day 1, complete those four in that order and finish the rest in week one. An employee with 2FA-protected email and a password manager is dramatically more secure than one without either, regardless of whether they have completed every item on the security checklist.

Phishing deserves special attention at small businesses because founders and senior staff are disproportionately targeted. Business email compromise attacks often impersonate the CEO to request urgent wire transfers or payroll changes. Brief every new hire on the specific protocol for financial requests: any request involving money, even from a known email address, gets verified by phone before action is taken. This single protocol prevents the most expensive category of small business security incidents.

IT Onboarding Policy: What to Include

An IT onboarding policy is a written document that defines the rules governing technology use at your company. Every new hire should read and sign it on Day 1. For small businesses, this does not need to be a lengthy legal document. A one-page policy covering six sections is sufficient and will be more consistently read than a twenty-page handbook appendix.

Keep the IT policy in plain language. The goal is comprehension, not legal protection. A policy that employees actually understand and follow is more valuable than one that would hold up in court but gets ignored because nobody can parse it. Have a lawyer review it once when you write it, then update it annually or when your tool stack changes significantly.

The acceptable use section is where most small businesses are too vague. "Use company devices responsibly" is not a policy. A policy specifies: personal use is permitted during non-work hours, prohibited activities include installing unlicensed software and accessing adult content, and the company reserves the right to inspect company-owned devices. That level of specificity feels uncomfortable to write, but it is what makes the policy enforceable and what sets clear expectations from Day 1.

The offboarding section of the IT policy is the one most companies forget to include. Every policy should state explicitly that access will be revoked within 24 hours of termination and that company devices must be returned within a specified timeframe. Having this in a signed policy document simplifies the offboarding conversation and gives you a clear basis for action if a former employee retains access to company systems. The employee offboarding checklist has the full IT revocation process to pair with this policy.

Remote and Hybrid IT Onboarding

Remote IT onboarding runs the same three phases as in-person onboarding with additional logistics for physical device delivery and remote configuration. The biggest failure point for remote IT setup is timing: equipment that arrives on Day 2 because someone forgot to order it early enough.

For hybrid teams where some employees are in-office and some are remote, standardize the IT onboarding process regardless of location. Use the same checklist, the same security briefing, and the same policy acknowledgment. The only difference is whether the Day 1 setup session is in-person or via screen share. Standardization prevents the gap where remote employees get less thorough IT onboarding because "we just sent them the instructions."

One remote-specific risk worth addressing explicitly: credential delivery. In-person onboarding has a natural security advantage: you hand the device to the person in front of you and set up accounts together. Remote onboarding requires sending credentials before the new hire can do anything. Never send passwords in plain text email or Slack. Use your password manager's secure sharing feature, a one-time link service, or a secure note that expires. The new hire should change all provisioned passwords on first login, and that should be a documented step in your checklist, not an assumption.

For fully distributed teams where every employee is remote, consider investing in Apple Business Manager or Microsoft Intune for device management. Both allow you to ship a device that self-configures when the new hire powers it on, eliminating the need for manual setup. The upfront configuration cost (a few hours for someone with basic technical comfort) pays for itself quickly if you hire more than four or five remote employees per year. The digital employee onboarding guide covers automation options for distributed teams in more depth.

Common IT Onboarding Mistakes to Avoid

These four mistakes appear consistently in small business IT onboarding failures. Each one is preventable with a specific process change that takes less time to implement than the mistake costs to fix.

The common thread across all four mistakes: IT onboarding fails when it is treated as a reactive task rather than a proactive process. Every item on the list above is solved by moving the work earlier: accounts created before Day 1, password manager set up on Day 1 not week two, 2FA enabled during setup not left to the employee's discretion, offboarding list built during onboarding not assembled under pressure after a departure. The checklist does not require more time. It requires doing the same work earlier.

Frequently Asked Questions