Information Security Policy Pack
SOC 2 and ISO 27001 both expect a documented, approved, and communicated set of security policies. This pack outlines the core policies most in-scope organizations need and the key clauses each should contain, so you can draft or review yours quickly.
How to use this template
- Adopt only the policies that apply to your business — don't publish controls you can't operate.
- Assign each policy an owner and an annual review date, and record leadership approval.
- Publish policies where all staff can reach them and capture acknowledgement.
- Map each policy clause to how you actually enforce it (the control + its evidence).
Core policies
These map to the SOC 2 common criteria and ISO 27001 Annex A themes most audits assess.
Information Security Policy (master)
The umbrella policy stating leadership commitment, scope, and the security program's objectives.
- Scope, objectives, and roles/responsibilities
- Reference to sub-policies and the risk-management approach
- Leadership approval, review cadence, and enforcement/exceptions
Access Control Policy
How identities are provisioned, authenticated, authorized, reviewed, and revoked.
- Least-privilege and role-based access
- MFA/SSO requirements and password standards
- Joiner/mover/leaver process and periodic access reviews
Acceptable Use Policy
Rules for using company systems, devices, and data.
- Permitted/prohibited use and BYOD rules
- Data-handling expectations and monitoring notice
- Consequences of violations
Data Classification & Handling Policy
How data is classified and protected at each sensitivity level.
- Classification tiers (e.g., Public / Internal / Confidential / Restricted)
- Encryption, storage, transfer, and retention requirements per tier
- Secure disposal
Incident Response Policy
How security incidents are detected, triaged, escalated, and resolved.
- Severity definitions and roles (incident commander, comms)
- Detection, containment, eradication, recovery, and lessons-learned steps
- Breach-notification obligations and timelines
Change Management Policy
How code and infrastructure changes are reviewed, approved, and released.
- Peer review and testing requirements
- Approval and rollback procedures
- Separation of duties and environments
Risk Assessment & Treatment Policy
How risks are identified, scored, and treated.
- Assessment cadence and methodology
- Risk register and treatment options (accept/mitigate/transfer/avoid)
- Ownership and monitoring
Vendor / Third-Party Risk Policy
How subprocessors and vendors are assessed and monitored.
- Vendor inventory and risk tiering
- Due diligence (SOC 2/ISO reports, security reviews) and DPAs
- Ongoing monitoring and offboarding
Business Continuity & Disaster Recovery Policy
How the business maintains and restores operations after disruption.
- RTO/RPO targets for critical systems
- Backup, restore-testing, and failover procedures
- Plan testing cadence
Secure Development Policy
Security expectations across the SDLC.
- Secure coding standards and dependency management
- Testing (SAST/DAST/pen testing) and vulnerability SLAs
- Code-review and secrets-management requirements
Related
This template is general guidance to accelerate your compliance program and is not legal advice. Adapt it to your organization and your auditor's requirements.