Information Security Policy: Starter Pack
A pragmatic policy suite you can adapt in a week, not a quarter, covering the 12 policies every security program needs.
Security policies fail in exactly two ways. The first is being too thin, a one-page “we take security seriously” statement that no auditor accepts as a real control, and that gives employees no practical guidance. The second is the opposite extreme: an 80-page binder assembled from a template dump, full of corporate boilerplate that nobody has read since the day it was signed, let alone follows. The moment an auditor asks an employee to explain the change-management process and they stare blankly, the binder becomes evidence against you.
The goal of a working policy suite is to be short enough that people actually read it, specific enough that it drives real behavior, and structured enough that an auditor or customer security questionnaire can tie each requirement to a named document with an owner, a version number, and a review date. This guide covers the 12 policies every program needs, what each one should say, the most common mistake teams make with each, and how to make the whole suite stick.
Four attributes of a policy that works
Short and enforceable. If it takes 30 minutes to read a single policy, it won’t be read. Aim for one to three pages per document, enough to define scope, requirements, roles, and exceptions. Version-controlled. Every document should carry a version number, an effective date, an approver, and a next-review date. Owned. Every policy needs a named owner who is accountable for keeping it current and ensuring it is followed. Framework-mapped. Even if you are not pursuing a formal certification, mapping each policy to NIST CSF functions or SOC 2 Trust Services Criteria lets you track control coverage and answer security questionnaires in minutes rather than days.
The Core Policy Suite, 12 Documents Every Program Needs
These 12 policies represent the minimum viable set recognized by frameworks including SOC 2, NIST CSF, NIST 800-171, and ISO 27001. Each entry below describes what the policy should cover and the single most common mistake organizations make when writing or operating it.
1. Information Security Policy (Umbrella / Management Commitment)
This is the top-level document: it states that the organization is committed to protecting information assets, defines the scope of the security program, assigns overall accountability to a named role (typically the CISO, vCISO, or CTO), and references the other policies in the suite. Auditors look for this document first because it establishes the governance foundation everything else rests on.
Most common mistake: Writing this as a vague mission statement rather than a binding commitment. The policy should name specific roles with security responsibilities, reference the risk management process, and carry an executive signature, not just say “leadership values security.”
2. Acceptable Use Policy
Defines what employees, contractors, and third parties may and may not do with company systems, networks, devices, and data. Covers personal use of corporate devices, prohibited activities (circumventing security controls, installing unauthorized software, sharing credentials), and the consequences of violations.
Most common mistake: Treating this as a legal-only document and never surfacing it during onboarding or annual training. If employees cannot recall any specific requirement from the AUP, it is not operating as a control, it is a liability hedge that did not work.
3. Access Control Policy
Establishes the principle of least privilege: users receive only the access rights required for their job function, access is reviewed on a defined schedule (typically quarterly), and joiners, movers, and leavers (JML) are handled through a documented provisioning and deprovisioning process. Also addresses privileged access and the prohibition of shared accounts.
Most common mistake: Defining the policy but skipping the access review cadence. Auditors will sample evidence of completed reviews across the observation window. “We review when we remember to” is not a control, it’s a gap.
4. Authentication & Password Policy
Sets minimum requirements for multi-factor authentication (MFA), password complexity and length, password manager use, prohibition on reuse, and handling of secrets (API keys, service account credentials, certificates). Should explicitly require MFA for all administrative access, remote access, and cloud console access.
Most common mistake: Writing MFA as a “should” rather than a “must,” then discovering during fieldwork that 20 percent of accounts are MFA-exempt because someone needed an exception two years ago and it was never closed. Exceptions require documented approval and an expiry date.
5. Data Classification & Handling Policy
Defines data classification tiers (typically: Public, Internal, Confidential, Restricted or similar), the types of data in each tier, and the handling requirements for each, including encryption in transit and at rest, storage location, sharing restrictions, and disposal requirements. This policy is the prerequisite for almost every other data-related control.
Most common mistake: Creating four tiers when two or three are sufficient. The more tiers you define, the more classification decisions employees have to make correctly. Most organizations’ data falls cleanly into “customer data and credentials” (Restricted), “internal business information” (Confidential), and everything else. Complexity in classification leads to classification being ignored entirely.
6. Incident Response Policy
Defines how the organization identifies, contains, eradicates, and recovers from security incidents. Documents the incident severity matrix, the on-call escalation chain, internal and external communication requirements (customers, regulators, counsel), and post-incident review obligations. Should reference a separate incident response runbook for operational procedures.
Most common mistake: Defining a beautiful IR process but never testing it. A tabletop exercise once a year, even a 90-minute walk-through of a simulated ransomware scenario, surfaces the gaps before a real incident does. The policy should require it.
7. Business Continuity & Disaster Recovery Policy
Documents the organization’s recovery objectives, Recovery Time Objective (RTO) and Recovery Point Objective (RPO), for critical systems, the roles and decision-making authority during a declared disaster, and the requirement to test recovery procedures on a defined schedule. This policy is the governance layer; the DR runbook is the operational one.
Most common mistake: Setting RTO/RPO targets in the policy that the technical environment cannot actually meet, because nobody tested recovery before the targets were written. The targets should come from a business impact analysis, not from aspirational guesswork.
8. Vendor / Third-Party Risk Management Policy
Establishes requirements for assessing security risk before onboarding a vendor, the minimum security standards vendors must meet (including the expectation of their own SOC 2 or equivalent), periodic reassessment cadences, contractual security requirements (BAA, DPA, security addenda), and the process for offboarding vendors and revoking their access.
Most common mistake: Applying the same review depth to every vendor regardless of data access. A vendor with access to customer PII warrants a full security review and contractual DPA; a vendor who provides office plants does not. Tiering vendors by data access and system access keeps the program manageable and the highest-risk relationships appropriately scrutinized.
9. Change Management Policy
Defines how changes to production systems, applications, infrastructure, and configurations are requested, reviewed, approved, tested, and documented. Distinguishes between standard changes (pre-approved, low-risk), normal changes (require CAB or peer review), and emergency changes (expedited path with post-hoc documentation). Establishes the requirement for rollback procedures.
Most common mistake: Exempting infrastructure-as-code or cloud console changes from the change management process because “that’s DevOps.” SOC 2 auditors sample change tickets; if your Terraform runs or AWS console changes have no associated ticket or approval trail, you have a change management gap regardless of what the policy says.
10. Asset Management Policy
Requires maintaining an inventory of all hardware assets (endpoints, servers, network devices), software assets (licensed applications, SaaS subscriptions), and cloud resources. Defines asset lifecycle from procurement through secure disposal, including media sanitization requirements. An accurate asset inventory is also the prerequisite for effective vulnerability management.
Most common mistake: Treating the asset inventory as a spreadsheet someone updates manually when they remember to. The policy should require automated discovery and reconciliation, through your MDM, endpoint agent, or cloud asset management tooling, so the inventory is continuously accurate rather than a quarterly snapshot that is already stale by the time it is reviewed.
11. Vulnerability & Patch Management Policy
Defines the cadence for vulnerability scanning (typically weekly or monthly for internal assets, continuous for internet-facing), the severity-based remediation SLAs (e.g., Critical: 14 days, High: 30 days, Medium: 90 days), and the process for tracking exceptions when remediation cannot meet the SLA. Also covers operating system and application patching cadences.
Most common mistake: Setting aggressive SLAs, “Critical: 7 days”, without the operational capacity to meet them, then generating a long exception list that signals to auditors that the policy is aspirational rather than operational. It is better to have a 14-day Critical SLA that you consistently meet than a 7-day SLA with 40 percent of Criticals on permanent exceptions.
12. Security Awareness & Training Policy
Requires all personnel to complete security awareness training upon hire and annually thereafter, defines the minimum training content (phishing, social engineering, data handling, incident reporting), and specifies how completion is tracked. Should also address role-specific training for high-risk roles such as developers (secure coding) and finance personnel (wire fraud and BEC).
Most common mistake: Purchasing an annual video-based training module and calling the program complete. Training that is delivered once, never reinforced, and never tested with simulated phishing produces completion metrics, not behavior change. The policy should require more than checkbox compliance.
Optional but Worth Adding
Once the core 12 are in place, these four policies address common gaps that appear as organizations mature or face specific regulatory requirements:
- Encryption & Key Management Policy: Documents encryption standards (AES-256 at rest, TLS 1.2+ in transit), key lifecycle management (generation, rotation, revocation, destruction), and prohibitions on hardcoded secrets. Especially important for organizations handling regulated data or operating in multi-cloud environments.
- Remote Work & BYOD Policy: Defines security requirements for employees working outside the office and for personal devices used to access corporate resources, VPN requirements, MDM enrollment, screen lock, prohibited data storage locations, and the right-to-wipe provisions for BYOD devices.
- Logging & Monitoring Policy: Specifies which systems must generate logs, what events must be captured, minimum log retention periods, and how logs are reviewed and alerted on. Increasingly required by frameworks and enterprise buyers who want evidence of a functioning SIEM or log aggregation capability.
- Data Retention & Disposal Policy: Defines how long different categories of data must be retained, where that retention is documented in contract or regulation, and the process for secure disposal, both for physical media and for cloud data. Pairs with the Data Classification policy.
How to Make Them Stick
Writing the policies is the easy part. The harder work is making them operational, turning documents into actual controls. These are the practices that separate programs where the policies are real from programs where they are decoration.
- Keep each policy short. One to three pages per document. If it runs longer, split it into a policy (the “what” and “why”) and a procedure or standard (the “how”). Employees can read and remember a one-page policy; they cannot internalize a 15-page document.
- Assign a named owner to every policy. The owner is responsible for keeping it current, answering questions about it, and ensuring it is being followed in their domain. “The security team” is not an owner. A specific person with the accountability in their job description is an owner.
- Version and date every document. Every policy should show version number, effective date, author, approver, and next review date in the header or footer. This is not bureaucracy, it is the evidence an auditor needs to confirm the policy was reviewed and approved by someone with authority.
- Review annually at minimum. Technology, threats, and business processes change. A policy written two years ago that still references on-premise servers for an organization that moved to cloud is not a current control, it is a finding waiting to happen. Put the review date in someone’s annual goals.
- Map controls to a framework. Even informally, note which NIST CSF function or SOC 2 Trust Services Criteria category each policy supports. This mapping makes security questionnaire responses faster, compliance gap analysis easier, and the policy suite legible to auditors who think in framework terms.
- Train people on them. At minimum, every employee should see the Acceptable Use Policy and the Incident Response Policy as part of onboarding. Role-specific policies, Change Management for engineers, Vendor Risk for procurement, should be part of role onboarding. Annual training should reference specific policies, not just generic security awareness content.
- Enforce through technical controls, not the honor system. A policy that says “MFA is required” but is not backed by a Conditional Access rule that blocks non-MFA sessions is not a control, it is a suggestion. Every policy requirement that can be technically enforced should be. The policy is the governance layer; the technical control is the enforcement layer.
Framework Mapping Reference
The table below maps representative policies to common framework categories. This is not exhaustive, most policies touch multiple controls, but it illustrates the coverage a complete policy suite provides.
| Policy | SOC 2 Trust Services Criteria | NIST CSF Function |
|---|---|---|
| Information Security Policy (umbrella) | CC1, Control Environment | Govern (GV) |
| Access Control Policy | CC6, Logical & Physical Access | Protect (PR.AC) |
| Authentication & Password Policy | CC6.1, Authentication | Protect (PR.AC) |
| Data Classification & Handling | CC6.1, CC6.7, Data Handling | Identify (ID.AM), Protect (PR.DS) |
| Incident Response Policy | CC7.3, CC7.4, Incident Response | Respond (RS), Recover (RC) |
| Change Management Policy | CC8, Change Management | Protect (PR.IP) |
| Vulnerability & Patch Management | CC7.1, Threat Detection | Identify (ID.RA), Protect (PR.IP) |
| Vendor / Third-Party Risk Management | CC9.2, Vendor Management | Identify (ID.SC) |
| Business Continuity & DR Policy | A1, Availability | Recover (RC.RP) |
| Security Awareness & Training | CC1.4, Commitment to Competence | Protect (PR.AT) |
Related Reading
If you are building a policy suite in preparation for a formal audit, the companion article The Pragmatic SOC 2 Timeline explains what each phase of a SOC 2 Type II actually costs in calendar time and internal effort, including the readiness phase where the policy suite is one of the primary gap areas.
A complete policy suite is also the foundation for the compliance work we do with clients: policies define the control environment, and controls need to be designed, implemented, and operated before any audit window can begin.
We build and operate the full program
Writing 12 policies is a week of work. Keeping them current, ensuring they are followed, mapping them to evidence, and operating the controls beneath them is ongoing, and it is exactly the work a vCISO engagement is designed to carry. We build the policy suite, install the technical controls that enforce it, and run the governance program, quarterly reviews, access certifications, vendor assessments, training cadences, so your team stays focused on the business. If you want to discuss what a program build looks like for your organization, start with a conversation.