We will keep it simple and straight away get to the point :).
Here is a list of the Top Ten Mandatory policies that each company should put in place when they start their SOC 2, ISO 27001, or FEDRAMP journey. Along-with each policy, you will find included a brief description of what that policy means, why it is required, and the topics you should cover.
You can also access complete document templates by logging in ControlMap or starting your trial.
Here is the list of top 10 policies for IT Compliance programs such as SOC 2, ISO 27001, and more.
1. Acceptable Use Policy
Acceptable Use Policy documents the constraints, practices, and rules put in place by the IT organization for the usage of IT assets such as laptops, desktops, printers, networks, etc.
Acceptable use policy protects employees, partners, customers, and other stakeholders of a company against illegal, discriminatory, and harassing actions by other individuals in a company. While publishing an acceptable use policy you should at the minimum plan to include the following sections.
- Acceptable use of computer equipment. For example, laptops and desktops issued by the company should be used for business purposes.
- Acceptable use of IT Network (For example employees are prohibited from using the network for illegal or abusive activities)
- Acceptable use of company mobile devices ( Should connect to company network every day for security updates)
- Acceptable use of official communication channels such as email, Slack, etc.
2. Access Control Policy
An Access Control Policy is published to communicate the procedures and steps a company must take to ensure that access to its assets, information, and data is restricted to the accounts of authorized employees and contractors. This policy ensures that all employees understand the access they have to the information systems and the steps they need to take to request additional access. A well documented, implemented and communicated Access Control Policyprotects data and assets from being accessed by malicious sources. An Access Control Policy must include
- Types of accounts in a company ( individual, group, system, application, team, elevated, temporary).
- Define rules for memberships to each group and the approvals required.
- Rules for provisioning and de-provisioning accounts for new and terminated employees.
- Review frequency for elevated, temporary, and other access.
3. Change Management Policy
A Change Management Policy lays down the rules for managing changes in the production environments with-in an IT organization. The primary purpose of this policy document is to define practices that directly minimize risks arising for unauthorized, un-tested, and otherwise sub-optimal changes. A change management policy at the minimum should include
- Common types of changes in the IT organization (Typically by impact and risk related to the change itself)
- End to end process of origination to implementation to triage for the change. (Includes approval process if any)
- Personnel involved in each step of the change process
- Reporting and maintenance of each change record for compliance and audit purposes.
4. Code Of Conduct Policy
The Code of Conduct or Ethics policy is an important document that lays down the fair practices and procedures a company has put in place to make each employee feel safe, respected, and assured of ethical conduct. It assures employees, customers, vendors, and other stakeholders that the company addresses issues related to misconduct and impropriety with utmost importance. The Code of Conduct or Ethics Policy, most importantly, must include guarantees and commitment by the upper management about upholding ethics, values, and moral responsibilities as a top priority. It must contain the following.
- Overall practices put in place by the company to promote ethical behavior
- Expectations from the employees and other stakeholders
- Responsibility of management
- How to report, handle and resolve a misconduct report
- Violation and disciplinary actions
5. Data Classification Policy
Data Classification Policy defines the categories in which a company's data is organized driven by security and business risk the data poses in case of loss or theft. Common categorizations used are 'sensitive', 'public', 'confidential', or 'personal'. This data classification directly drives the security and access control applied to protect the data and its related storage from threat sources. A data classification policy must contain the following information
- Categories / Classes of data
- Attributes related to data in each class
- Who has access to each class of data
- How is each class of data protected
- List of information systems and the class of data it stores
6. Disaster Recovery Plan
The Disaster Recovery Plan is the management’s statement of how they intend to deal with a disaster. It publishes the steps management has taken to have the business continue operating in a stable state in the face of a natural or a human-made disaster. It demonstrates management’s commitment to its customers and employees of business continuity not only in cases of weather calamities but also prolonged system failures or outages.
A disaster recovery plan must include the following
- Data backup and restoration
- Equipment replacement and recovery
- Network restoration and recovery
- Teams that are responsible for all or individual IT systems
- Periodic test of the disaster recovery plan
- Frequency of update and review
7. Information Security Policy
Information Security Policy is perhaps the most critical policy document published by the Infosec team. The purpose of an Information Security policy is to communicate to all employees and contractors about the rules to maintain a secure IT environment. These policies and procedures mitigate the risks posed by internal and external threat sources and malicious actors. This policy also acts as a go-to document for each employee to find details about the organization’s security posture. Information security policy document includes many other policy documents such as
- Firewall / Network Security policies including policies for switches, routers, etc
- Wireless Security policies
- Server Security Policy
- Web Application Security Policies
- Remote access policy including Remote Mobile Connection, VPN, Teleworking etc
- Antivirus and Anti Malware Policy
We are writing a separate post about how to develop a concrete Information Security Policy Document. The details will be available soon.
8. Risk Assessment Policy
The Risk Assessment Policy publishes the plan for the Infosec team to conduct regular and periodic risk assessments. The risk assessment may contain identifying new vulnerabilities, threats, and threat sources while updating the likelihood and impact scores.
A periodic Risk Assessment ensures that the organization’s security controls are up to date and designed to mitigate risk. The Risk assessment policy must have the following section.
- The Risk Assessment approach taken by the Infosec Team. Examples are Vulnerability based, threat-based or Asset-based.
- The risk analysis/scoring approach (quantitative or qualitative)
- Identifies the responsible owners for various information systems
- Controls associated with the risk it mitigates
9. Security Incident Handling / Response Policy
A Security Incident Handling and Response Policy tells the business, support, and other teams how to respond in case of an Infosec security incident. The policy ensures that all the information needed by different teams to respond to the security incident is readily available to all groups. A well-written security incident response policy enables appropriate and timely response to customers who are impacted by the events and also ensures necessary mitigation efforts for the security incident.
A security incident response policy must contain the following.
- Classification of incidents and related SLAs
- Contact and composition of Incident Response Team
- Response plan for each incident containing details of issue, mitigations, and testing involved
- Plan for updating existing controls to mitigate the same issue in the future
10. Vendor Management Policy
A Vendor Management Policy talks about your company’s rules of engagement with vendors. Its an important document defining the mandatory criteria to be met by vendors to do business with you. It also categorizes vendors in different tiers based on the type of data and information systems they access while offering their products and services. Adherence ensures that vendors treat and secure your data at the same level as you do. This policy must contain the following
- The security assessment process for a vendor mentioning the mandatory policy documentation requirement from the vendors
- Tiers of vendors based on the class of data they access
- Mandatory assessments/certifications required by the vendor
- Onboarding checks and approvals for a vendor
- Offboarding process for a vendor
