Acceptable Use Policy: Defines the ways in which the network, website or system may be used. Can also
define which devices and types of removable media can be used, password requirements, and how
devices will be issued and returned.

Access Control Policy: Defines who will have access to company systems and how often those access
permissions will be reviewed.

Business Continuity Policy: Defines how employees will respond to a disruption to keep the business
running smoothly.

Control Environment
Change Management Policy: Defines how system changes will be documented and communicated
across your organization.

Confidentiality Policy: Defines how your organization will handle confidential information about clients,
partners, or the company itself.

Code of Conduct Policy: Defines the policies both employees and employers must adhere to. This
includes how people should interact with one another at work. Employees should sign off on the
document when onboarding as well as upon major update to acknowledge receipt and pledge to abide
by it as a condition of employment. Executive management and/or the Board of Directors should review
the Code of Conduct annually and make any necessary revisions.

Control Environment
Data Classification Policy: Defines how you will classify sensitive data according to the level of risk it
poses to your organization.

Disaster Recovery Policy: Defines how your company will recover from a disastrous event. It also
includes the minimum necessary functions your organization needs to continue operations.

Encryption Policy: Defines the type of data your organization will encrypt and how it’s encrypted.

Incident Response Policy: Defines roles and responsibilities in response to a data breach and during the
ensuing investigation.

Information Security Policy: Defines your approach to information security and why you’re putting
processes and policies in place.

Information, Software, and System Backup Policy: Defines how information from business applications
will be stored to ensure data recoverability.

Logging and Monitoring Policy: Defines which logs you’ll collect and monitor. Also covers what’s
captured in those logs, and which systems will be configured for logging.

Physical Security Policy: Defines how you will monitor and secure physical access to your company’s
location. What will you do to prevent unauthorized physical access to data centers and equipment?

Password Policy: Defines the requirements for using strong passwords, password managers, and
password expirations.

Remote Access Policy: Defines who is authorized to work remotely. Also defines what type of
connectivity they will use and how that connection will be protected and monitored.

Risk Assessment and Mitigation Policy: Defines security threats that could occur and the action plan to
prevent those incidents.

Software Development Lifecycle Policy: Defines how you will ensure your software is built securely,
tested regularly, and complies with regulatory requirements.

Vendor Management Policy: Defines vendors that may introduce risk, as well as controls put in place to
minimize those risks.

Control Environment
Workstation Security Policy: Defines how you will secure your employees’ workstations to reduce the
risk of data loss and unauthorized access.

Organizational chart: Must include a group or person independent from senior management that is over
them.

Control Environment
Human Resources Policy: Must include a group or person independent from senior management that is
over them.

Control Environment