Skip to main contentSkip to main content
    Policy Templates

    Information Security Policy Pack

    SOC 2 and ISO 27001 both expect a documented, approved, and communicated set of security policies. This pack outlines the core policies most in-scope organizations need and the key clauses each should contain, so you can draft or review yours quickly.

    How to use this template

    • Adopt only the policies that apply to your business — don't publish controls you can't operate.
    • Assign each policy an owner and an annual review date, and record leadership approval.
    • Publish policies where all staff can reach them and capture acknowledgement.
    • Map each policy clause to how you actually enforce it (the control + its evidence).

    Core policies

    These map to the SOC 2 common criteria and ISO 27001 Annex A themes most audits assess.

    Information Security Policy (master)

    The umbrella policy stating leadership commitment, scope, and the security program's objectives.

    • Scope, objectives, and roles/responsibilities
    • Reference to sub-policies and the risk-management approach
    • Leadership approval, review cadence, and enforcement/exceptions

    Access Control Policy

    How identities are provisioned, authenticated, authorized, reviewed, and revoked.

    • Least-privilege and role-based access
    • MFA/SSO requirements and password standards
    • Joiner/mover/leaver process and periodic access reviews

    Acceptable Use Policy

    Rules for using company systems, devices, and data.

    • Permitted/prohibited use and BYOD rules
    • Data-handling expectations and monitoring notice
    • Consequences of violations

    Data Classification & Handling Policy

    How data is classified and protected at each sensitivity level.

    • Classification tiers (e.g., Public / Internal / Confidential / Restricted)
    • Encryption, storage, transfer, and retention requirements per tier
    • Secure disposal

    Incident Response Policy

    How security incidents are detected, triaged, escalated, and resolved.

    • Severity definitions and roles (incident commander, comms)
    • Detection, containment, eradication, recovery, and lessons-learned steps
    • Breach-notification obligations and timelines

    Change Management Policy

    How code and infrastructure changes are reviewed, approved, and released.

    • Peer review and testing requirements
    • Approval and rollback procedures
    • Separation of duties and environments

    Risk Assessment & Treatment Policy

    How risks are identified, scored, and treated.

    • Assessment cadence and methodology
    • Risk register and treatment options (accept/mitigate/transfer/avoid)
    • Ownership and monitoring

    Vendor / Third-Party Risk Policy

    How subprocessors and vendors are assessed and monitored.

    • Vendor inventory and risk tiering
    • Due diligence (SOC 2/ISO reports, security reviews) and DPAs
    • Ongoing monitoring and offboarding

    Business Continuity & Disaster Recovery Policy

    How the business maintains and restores operations after disruption.

    • RTO/RPO targets for critical systems
    • Backup, restore-testing, and failover procedures
    • Plan testing cadence

    Secure Development Policy

    Security expectations across the SDLC.

    • Secure coding standards and dependency management
    • Testing (SAST/DAST/pen testing) and vulnerability SLAs
    • Code-review and secrets-management requirements

    Related

    This template is general guidance to accelerate your compliance program and is not legal advice. Adapt it to your organization and your auditor's requirements.