AI Acceptable Use Policy
Defines how employees may use generative AI and machine-learning tools — public chatbots, copilots, embedded assistants.
AI ActISO 42001ISO 27701SOC 2
Library
All policy templates
60 bilingual templates covering 38 compliance frameworks. Generate the policy that fits your context in minutes.
AI Act(2)
AI Governance Policy
Defines how AI systems are designed, evaluated, deployed, and overseen — aligned with the EU AI Act and ISO/IEC 42001.
AI ActISO 42001ISO 27701GDPR
ANSSI(1)
SecNumCloud Compliance Policy
Aligns the cloud service provider with the French ANSSI SecNumCloud qualification requirements.
SecNumCloudANSSIISO 27001GDPR
CCPA(1)
CCPA / CPRA Privacy Policy
Discloses consumer rights and data practices under the California Consumer Privacy Act and California Privacy Rights Act.
CCPACPRAGDPRISO 27701
CMMC(1)
CMMC Policy
Aligns the organization with the Cybersecurity Maturity Model Certification (CMMC) for US Department of Defense contractors and subcontractors.
CMMCNISTDFARS
CPRA(1)
CCPA / CPRA Privacy Policy
Discloses consumer rights and data practices under the California Consumer Privacy Act and California Privacy Rights Act.
CCPACPRAGDPRISO 27701
Cyber Essentials(1)
Cyber Essentials Policy
Documents the five technical controls required by the UK NCSC Cyber Essentials and Cyber Essentials Plus schemes.
Cyber EssentialsISO 27001SOC 2
DFARS(1)
CMMC Policy
Aligns the organization with the Cybersecurity Maturity Model Certification (CMMC) for US Department of Defense contractors and subcontractors.
CMMCNISTDFARS
DORA(6)
Business Continuity Policy
Establishes the business continuity management system aligned with ISO 22301 — BIA, plans, exercises, governance.
ISO 22301DORASOC 2NIS2
Crisis Management Policy
Establishes the organization-wide framework for responding to severe events — cyber, safety, reputational, legal — beyond business continuity.
ISO 22301DORANIS2
ICT Third-Party Risk Policy
Manages ICT third-party risk in alignment with EU DORA — including criticality assessment, register, and exit strategies.
DORANIS2ISO 27001
Incident Communication Playbook
Defines who communicates what, to whom, and when during a cybersecurity incident — internal, customer, regulator, and public.
ISO 27001SOC 2GDPRNIS2
NIS2 Cybersecurity Risk Management Policy
Establishes the cybersecurity risk-management measures required by EU Directive 2022/2555 (NIS2) for essential and important entities.
NIS2DORAISO 27001ISO 22301
Operational Resilience Policy
Establishes the framework to identify, protect, detect, respond to, recover from, and learn from operational disruptions (DORA / NIS2 aligned).
DORANIS2ISO 22301
ePrivacy(1)
Cookie Policy
Discloses the cookies set on your website, their purpose, retention, and how visitors can manage them.
GDPRePrivacyISO 27701
EU-WHISTLEBLOWER(1)
Whistleblower Policy
Provides safe internal and external reporting channels and anti-retaliation protections, aligned with EU Directive 2019/1937 and national implementations.
EU-WHISTLEBLOWERISO 27001SOX
FCPA(1)
Anti-Bribery & Corruption Policy
Prohibits bribery and corruption in any form, aligned with FCPA (US), UK Bribery Act, Sapin II (France), and ISO 37001.
FCPAUK-BRIBERY-ACTSAPIN2ISO37001
FEDRAMP(1)
FedRAMP Policy
Aligns a cloud service offering with FedRAMP authorization requirements for use by US federal agencies.
FEDRAMPNISTFISMA
FIPS(1)
Cryptographic Key Management Policy
Defines the full lifecycle of cryptographic keys aligned with NIST SP 800-57 and FIPS 140-3.
NISTISO 27001PCI DSSFIPS
FISMA(1)
FedRAMP Policy
Aligns a cloud service offering with FedRAMP authorization requirements for use by US federal agencies.
FEDRAMPNISTFISMA
GDPR(17)
AI Governance Policy
Defines how AI systems are designed, evaluated, deployed, and overseen — aligned with the EU AI Act and ISO/IEC 42001.
AI ActISO 42001ISO 27701GDPR
Background Check Policy
Defines pre-employment background verification appropriate to role sensitivity, in compliance with local labour and privacy law.
ISO 27001SOC 2GDPRNIS2
CCPA / CPRA Privacy Policy
Discloses consumer rights and data practices under the California Consumer Privacy Act and California Privacy Rights Act.
CCPACPRAGDPRISO 27701
Cookie Policy
Discloses the cookies set on your website, their purpose, retention, and how visitors can manage them.
GDPRePrivacyISO 27701
Data Loss Prevention Policy
Defines controls to detect and prevent unauthorized exfiltration of sensitive data across email, endpoints, cloud, and network egress.
ISO 27001SOC 2PCI DSSGDPR
Data Protection Policy
Defines how personal and sensitive data is collected, processed, stored, and protected, aligned with GDPR essentials.
GDPRISO 27001SOC 2
Data Retention Policy
Defines how long data is kept, why, and how it is securely destroyed when retention expires.
GDPRISO 27701ISO 27001
Encryption Policy
Defines cryptographic standards for data at rest, in transit, and key management practices.
SOC 2ISO 27001GDPR
HDS Health Data Hosting Policy
Aligns the organisation with the French HDS (Hébergeur de Données de Santé) certification for hosting personal health data.
HDSGDPRISO 27001ISO 27017
Incident Communication Playbook
Defines who communicates what, to whom, and when during a cybersecurity incident — internal, customer, regulator, and public.
ISO 27001SOC 2GDPRNIS2
Incident Response Policy
Defines how the organization detects, responds to, and learns from security incidents.
SOC 2ISO 27001GDPR
PII Protection in Public Cloud Policy (ISO 27018)
Implements the safeguards for processing PII as a public cloud PII processor in alignment with ISO/IEC 27018.
ISO 27018ISO 27017ISO 27701GDPR
Privacy Information Management Policy
Establishes a Privacy Information Management System aligned with ISO/IEC 27701, on top of ISO 27001.
ISO 27701GDPRISO 27001
Records Management Policy
Governs the creation, classification, retention, access, and destruction of organizational records (broader than data retention).
GDPRISO 27001ISO15489SOX
SecNumCloud Compliance Policy
Aligns the cloud service provider with the French ANSSI SecNumCloud qualification requirements.
SecNumCloudANSSIISO 27001GDPR
TISAX Policy
Aligns information security with the TISAX (Trusted Information Security Assessment eXchange) catalogue used across the EU automotive industry.
TISAXISO 27001GDPR
Vendor & Third-Party Management Policy
Defines how vendors and third parties are assessed, contracted, monitored, and offboarded.
SOC 2ISO 27001GDPR
HDS(1)
HDS Health Data Hosting Policy
Aligns the organisation with the French HDS (Hébergeur de Données de Santé) certification for hosting personal health data.
HDSGDPRISO 27001ISO 27017
HIPAA(7)
Anti-Phishing & Social Engineering Policy
Establishes how the workforce recognises, reports, and is protected from phishing, vishing, smishing, and social engineering attacks.
ISO 27001SOC 2NIS2HIPAA
Data Loss Prevention Policy
Defines controls to detect and prevent unauthorized exfiltration of sensitive data across email, endpoints, cloud, and network egress.
ISO 27001SOC 2PCI DSSGDPR
Disciplinary Policy for Cybersecurity Violations
Defines the consistent, proportionate disciplinary process for workforce violations of information security policies.
ISO 27001SOC 2NIS2HIPAA
HIPAA Security & Privacy Policy
Establishes safeguards for Protected Health Information (PHI) in alignment with HIPAA Security and Privacy Rules.
HIPAAISO 27701ISO 27001
HITRUST CSF Policy
Aligns information protection with the HITRUST Common Security Framework, used as the de-facto US healthcare standard.
HITRUSTHIPAAISO 27001NIST
Physical & Environmental Security Policy
Defines protection of facilities, equipment, and the environment supporting information systems (ISO 27001 Annex A.7).
ISO 27001SOC 2PCI DSSHIPAA
Security Awareness & Training Policy
Defines mandatory cybersecurity training, awareness campaigns, and effectiveness measurement.
NISTISO 27001SOC 2NIS2
HITRUST(1)
HITRUST CSF Policy
Aligns information protection with the HITRUST Common Security Framework, used as the de-facto US healthcare standard.
HITRUSTHIPAAISO 27001NIST
ISO15489(1)
Records Management Policy
Governs the creation, classification, retention, access, and destruction of organizational records (broader than data retention).
GDPRISO 27001ISO15489SOX
ISO 22301(5)
Business Continuity Policy
Establishes the business continuity management system aligned with ISO 22301 — BIA, plans, exercises, governance.
ISO 22301DORASOC 2NIS2
Capacity Management Policy
Ensures system capacity is monitored and planned to meet current and forecasted business demand (ISO 27001 A.8.6, SOC 2 A1).
ISO 27001SOC 2ISO 22301
Crisis Management Policy
Establishes the organization-wide framework for responding to severe events — cyber, safety, reputational, legal — beyond business continuity.
ISO 22301DORANIS2
NIS2 Cybersecurity Risk Management Policy
Establishes the cybersecurity risk-management measures required by EU Directive 2022/2555 (NIS2) for essential and important entities.
NIS2DORAISO 27001ISO 22301
Operational Resilience Policy
Establishes the framework to identify, protect, detect, respond to, recover from, and learn from operational disruptions (DORA / NIS2 aligned).
DORANIS2ISO 22301
ISO 27001(50)
Acceptable Use Policy
Defines acceptable and prohibited uses of company systems, devices, and networks.
SOC 2ISO 27001
Access Control Policy
Defines how users gain, change, and lose access to systems and data.
SOC 2ISO 27001
Anti-Phishing & Social Engineering Policy
Establishes how the workforce recognises, reports, and is protected from phishing, vishing, smishing, and social engineering attacks.
ISO 27001SOC 2NIS2HIPAA
API Security Policy
Defines security requirements for internal and external APIs across design, deployment, and decommissioning.
ISO 27001NISTOWASPSOC 2
Asset Management Policy
Defines how IT assets are inventoried, classified, owned, and decommissioned.
SOC 2ISO 27001
Background Check Policy
Defines pre-employment background verification appropriate to role sensitivity, in compliance with local labour and privacy law.
ISO 27001SOC 2GDPRNIS2
Backup & Recovery Policy
Defines how data is backed up, retained, and restored to ensure business continuity.
SOC 2ISO 27001
BYOD Policy
Defines acceptable use of personal devices for work, with security controls and reimbursement terms.
SOC 2ISO 27001
Capacity Management Policy
Ensures system capacity is monitored and planned to meet current and forecasted business demand (ISO 27001 A.8.6, SOC 2 A1).
ISO 27001SOC 2ISO 22301
Change Management Policy
Defines how changes to production systems are proposed, reviewed, deployed, and rolled back.
SOC 2ISO 27001
Configuration Management Policy
Defines how baseline configurations are established, deployed, and protected from unauthorised change (NIST CM family, ISO 27001 A.8).
NISTISO 27001SOC 2PCI DSS
Cryptographic Key Management Policy
Defines the full lifecycle of cryptographic keys aligned with NIST SP 800-57 and FIPS 140-3.
NISTISO 27001PCI DSSFIPS
Cyber Essentials Policy
Documents the five technical controls required by the UK NCSC Cyber Essentials and Cyber Essentials Plus schemes.
Cyber EssentialsISO 27001SOC 2
Data Loss Prevention Policy
Defines controls to detect and prevent unauthorized exfiltration of sensitive data across email, endpoints, cloud, and network egress.
ISO 27001SOC 2PCI DSSGDPR
Data Protection Policy
Defines how personal and sensitive data is collected, processed, stored, and protected, aligned with GDPR essentials.
GDPRISO 27001SOC 2
Data Retention Policy
Defines how long data is kept, why, and how it is securely destroyed when retention expires.
GDPRISO 27701ISO 27001
Disciplinary Policy for Cybersecurity Violations
Defines the consistent, proportionate disciplinary process for workforce violations of information security policies.
ISO 27001SOC 2NIS2HIPAA
Email Use Policy
Defines acceptable, secure, and professional use of company email.
SOC 2ISO 27001
Encryption Policy
Defines cryptographic standards for data at rest, in transit, and key management practices.
SOC 2ISO 27001GDPR
HDS Health Data Hosting Policy
Aligns the organisation with the French HDS (Hébergeur de Données de Santé) certification for hosting personal health data.
HDSGDPRISO 27001ISO 27017
HIPAA Security & Privacy Policy
Establishes safeguards for Protected Health Information (PHI) in alignment with HIPAA Security and Privacy Rules.
HIPAAISO 27701ISO 27001
HITRUST CSF Policy
Aligns information protection with the HITRUST Common Security Framework, used as the de-facto US healthcare standard.
HITRUSTHIPAAISO 27001NIST
ICT Third-Party Risk Policy
Manages ICT third-party risk in alignment with EU DORA — including criticality assessment, register, and exit strategies.
DORANIS2ISO 27001
Identity & Access Management Policy
Establishes IAM principles, identity proofing, authentication, authorisation, federation, and lifecycle management.
NISTISO 27001SOC 2NIS2
Incident Communication Playbook
Defines who communicates what, to whom, and when during a cybersecurity incident — internal, customer, regulator, and public.
ISO 27001SOC 2GDPRNIS2
Incident Response Policy
Defines how the organization detects, responds to, and learns from security incidents.
SOC 2ISO 27001GDPR
Information Classification Policy
Defines how information is classified by sensitivity and the protections each tier requires.
SOC 2ISO 27001NIST
Cloud Security Policy (ISO 27017)
Extends ISO 27001 controls with cloud-specific guidance per ISO/IEC 27017, defining shared responsibility for security in cloud services.
ISO 27017ISO 27001SOC 2ISO 27018
PII Protection in Public Cloud Policy (ISO 27018)
Implements the safeguards for processing PII as a public cloud PII processor in alignment with ISO/IEC 27018.
ISO 27018ISO 27017ISO 27701GDPR
Logging & Monitoring Policy
Defines what is logged, how logs are protected and retained, and how monitoring drives detection and response.
NISTSOC 2ISO 27001PCI DSS
Network Security Policy
Defines network segmentation, perimeter and lateral controls, secure connectivity, and zero-trust principles.
NISTISO 27001SOC 2PCI DSS
NIS2 Cybersecurity Risk Management Policy
Establishes the cybersecurity risk-management measures required by EU Directive 2022/2555 (NIS2) for essential and important entities.
NIS2DORAISO 27001ISO 22301
Open-Source Software Policy
Defines how open-source dependencies are evaluated, approved, monitored, and contributed to.
ISO 27001NISTSOC 2
Password Policy
Defines password requirements and management practices.
SOC 2ISO 27001
Patch Management Policy
Defines how operating system, application, and firmware patches are evaluated, tested, deployed, and verified.
NISTISO 27001PCI DSSSOC 2
PCI DSS Cardholder Data Protection Policy
Protects cardholder data (CHD) and the Cardholder Data Environment (CDE) in alignment with PCI DSS v4.0.
PCI DSSISO 27001SOC 2
Penetration Testing Policy
Establishes the program for authorized adversarial security testing of systems and applications.
ISO 27001SOC 2PCI DSSNIST
Physical & Environmental Security Policy
Defines protection of facilities, equipment, and the environment supporting information systems (ISO 27001 Annex A.7).
ISO 27001SOC 2PCI DSSHIPAA
Privacy Information Management Policy
Establishes a Privacy Information Management System aligned with ISO/IEC 27701, on top of ISO 27001.
ISO 27701GDPRISO 27001
Records Management Policy
Governs the creation, classification, retention, access, and destruction of organizational records (broader than data retention).
GDPRISO 27001ISO15489SOX
Remote Work Policy
Sets security and operational expectations for employees working outside the office.
SOC 2ISO 27001
Risk Management Policy
Defines how risks are identified, assessed, treated, monitored and reported (aligned to NIST RMF and ISO 27005).
NISTISO 27001ISO 27005SOC 2
Secure Software Development Policy
Embeds security through the software development lifecycle (NIST SSDF, ISO/IEC 27034).
NISTISO 27034ISO 27001SOC 2
SecNumCloud Compliance Policy
Aligns the cloud service provider with the French ANSSI SecNumCloud qualification requirements.
SecNumCloudANSSIISO 27001GDPR
Secure Onboarding & Offboarding Policy
Defines the security activities for joiners, internal movers, and leavers — from access provisioning to deprovisioning and exit interviews.
ISO 27001SOC 2NISTNIS2
Security Awareness & Training Policy
Defines mandatory cybersecurity training, awareness campaigns, and effectiveness measurement.
NISTISO 27001SOC 2NIS2
TISAX Policy
Aligns information security with the TISAX (Trusted Information Security Assessment eXchange) catalogue used across the EU automotive industry.
TISAXISO 27001GDPR
Vendor & Third-Party Management Policy
Defines how vendors and third parties are assessed, contracted, monitored, and offboarded.
SOC 2ISO 27001GDPR
Vulnerability Management Policy
Establishes how vulnerabilities are discovered, prioritised, remediated, and verified across the technology stack.
NISTPCI DSSSOC 2ISO 27001
Whistleblower Policy
Provides safe internal and external reporting channels and anti-retaliation protections, aligned with EU Directive 2019/1937 and national implementations.
EU-WHISTLEBLOWERISO 27001SOX
ISO 27005(1)
Risk Management Policy
Defines how risks are identified, assessed, treated, monitored and reported (aligned to NIST RMF and ISO 27005).
NISTISO 27001ISO 27005SOC 2
ISO 27017(3)
HDS Health Data Hosting Policy
Aligns the organisation with the French HDS (Hébergeur de Données de Santé) certification for hosting personal health data.
HDSGDPRISO 27001ISO 27017
Cloud Security Policy (ISO 27017)
Extends ISO 27001 controls with cloud-specific guidance per ISO/IEC 27017, defining shared responsibility for security in cloud services.
ISO 27017ISO 27001SOC 2ISO 27018
PII Protection in Public Cloud Policy (ISO 27018)
Implements the safeguards for processing PII as a public cloud PII processor in alignment with ISO/IEC 27018.
ISO 27018ISO 27017ISO 27701GDPR
ISO 27018(3)
HDS Health Data Hosting Policy
Aligns the organisation with the French HDS (Hébergeur de Données de Santé) certification for hosting personal health data.
HDSGDPRISO 27001ISO 27017
Cloud Security Policy (ISO 27017)
Extends ISO 27001 controls with cloud-specific guidance per ISO/IEC 27017, defining shared responsibility for security in cloud services.
ISO 27017ISO 27001SOC 2ISO 27018
PII Protection in Public Cloud Policy (ISO 27018)
Implements the safeguards for processing PII as a public cloud PII processor in alignment with ISO/IEC 27018.
ISO 27018ISO 27017ISO 27701GDPR
ISO 27034(1)
Secure Software Development Policy
Embeds security through the software development lifecycle (NIST SSDF, ISO/IEC 27034).
NISTISO 27034ISO 27001SOC 2
ISO 27701(8)
AI Acceptable Use Policy
Defines how employees may use generative AI and machine-learning tools — public chatbots, copilots, embedded assistants.
AI ActISO 42001ISO 27701SOC 2
AI Governance Policy
Defines how AI systems are designed, evaluated, deployed, and overseen — aligned with the EU AI Act and ISO/IEC 42001.
AI ActISO 42001ISO 27701GDPR
CCPA / CPRA Privacy Policy
Discloses consumer rights and data practices under the California Consumer Privacy Act and California Privacy Rights Act.
CCPACPRAGDPRISO 27701
Cookie Policy
Discloses the cookies set on your website, their purpose, retention, and how visitors can manage them.
GDPRePrivacyISO 27701
Data Retention Policy
Defines how long data is kept, why, and how it is securely destroyed when retention expires.
GDPRISO 27701ISO 27001
HIPAA Security & Privacy Policy
Establishes safeguards for Protected Health Information (PHI) in alignment with HIPAA Security and Privacy Rules.
HIPAAISO 27701ISO 27001
PII Protection in Public Cloud Policy (ISO 27018)
Implements the safeguards for processing PII as a public cloud PII processor in alignment with ISO/IEC 27018.
ISO 27018ISO 27017ISO 27701GDPR
Privacy Information Management Policy
Establishes a Privacy Information Management System aligned with ISO/IEC 27701, on top of ISO 27001.
ISO 27701GDPRISO 27001
ISO37001(1)
Anti-Bribery & Corruption Policy
Prohibits bribery and corruption in any form, aligned with FCPA (US), UK Bribery Act, Sapin II (France), and ISO 37001.
FCPAUK-BRIBERY-ACTSAPIN2ISO37001
ISO 42001(2)
AI Acceptable Use Policy
Defines how employees may use generative AI and machine-learning tools — public chatbots, copilots, embedded assistants.
AI ActISO 42001ISO 27701SOC 2
AI Governance Policy
Defines how AI systems are designed, evaluated, deployed, and overseen — aligned with the EU AI Act and ISO/IEC 42001.
AI ActISO 42001ISO 27701GDPR
NIS2(12)
Anti-Phishing & Social Engineering Policy
Establishes how the workforce recognises, reports, and is protected from phishing, vishing, smishing, and social engineering attacks.
ISO 27001SOC 2NIS2HIPAA
Background Check Policy
Defines pre-employment background verification appropriate to role sensitivity, in compliance with local labour and privacy law.
ISO 27001SOC 2GDPRNIS2
Business Continuity Policy
Establishes the business continuity management system aligned with ISO 22301 — BIA, plans, exercises, governance.
ISO 22301DORASOC 2NIS2
Crisis Management Policy
Establishes the organization-wide framework for responding to severe events — cyber, safety, reputational, legal — beyond business continuity.
ISO 22301DORANIS2
Disciplinary Policy for Cybersecurity Violations
Defines the consistent, proportionate disciplinary process for workforce violations of information security policies.
ISO 27001SOC 2NIS2HIPAA
ICT Third-Party Risk Policy
Manages ICT third-party risk in alignment with EU DORA — including criticality assessment, register, and exit strategies.
DORANIS2ISO 27001
Identity & Access Management Policy
Establishes IAM principles, identity proofing, authentication, authorisation, federation, and lifecycle management.
NISTISO 27001SOC 2NIS2
Incident Communication Playbook
Defines who communicates what, to whom, and when during a cybersecurity incident — internal, customer, regulator, and public.
ISO 27001SOC 2GDPRNIS2
NIS2 Cybersecurity Risk Management Policy
Establishes the cybersecurity risk-management measures required by EU Directive 2022/2555 (NIS2) for essential and important entities.
NIS2DORAISO 27001ISO 22301
Operational Resilience Policy
Establishes the framework to identify, protect, detect, respond to, recover from, and learn from operational disruptions (DORA / NIS2 aligned).
DORANIS2ISO 22301
Secure Onboarding & Offboarding Policy
Defines the security activities for joiners, internal movers, and leavers — from access provisioning to deprovisioning and exit interviews.
ISO 27001SOC 2NISTNIS2
Security Awareness & Training Policy
Defines mandatory cybersecurity training, awareness campaigns, and effectiveness measurement.
NISTISO 27001SOC 2NIS2
NIST(18)
API Security Policy
Defines security requirements for internal and external APIs across design, deployment, and decommissioning.
ISO 27001NISTOWASPSOC 2
CMMC Policy
Aligns the organization with the Cybersecurity Maturity Model Certification (CMMC) for US Department of Defense contractors and subcontractors.
CMMCNISTDFARS
Configuration Management Policy
Defines how baseline configurations are established, deployed, and protected from unauthorised change (NIST CM family, ISO 27001 A.8).
NISTISO 27001SOC 2PCI DSS
Cryptographic Key Management Policy
Defines the full lifecycle of cryptographic keys aligned with NIST SP 800-57 and FIPS 140-3.
NISTISO 27001PCI DSSFIPS
FedRAMP Policy
Aligns a cloud service offering with FedRAMP authorization requirements for use by US federal agencies.
FEDRAMPNISTFISMA
HITRUST CSF Policy
Aligns information protection with the HITRUST Common Security Framework, used as the de-facto US healthcare standard.
HITRUSTHIPAAISO 27001NIST
Identity & Access Management Policy
Establishes IAM principles, identity proofing, authentication, authorisation, federation, and lifecycle management.
NISTISO 27001SOC 2NIS2
Information Classification Policy
Defines how information is classified by sensitivity and the protections each tier requires.
SOC 2ISO 27001NIST
Logging & Monitoring Policy
Defines what is logged, how logs are protected and retained, and how monitoring drives detection and response.
NISTSOC 2ISO 27001PCI DSS
Network Security Policy
Defines network segmentation, perimeter and lateral controls, secure connectivity, and zero-trust principles.
NISTISO 27001SOC 2PCI DSS
Open-Source Software Policy
Defines how open-source dependencies are evaluated, approved, monitored, and contributed to.
ISO 27001NISTSOC 2
Patch Management Policy
Defines how operating system, application, and firmware patches are evaluated, tested, deployed, and verified.
NISTISO 27001PCI DSSSOC 2
Penetration Testing Policy
Establishes the program for authorized adversarial security testing of systems and applications.
ISO 27001SOC 2PCI DSSNIST
Risk Management Policy
Defines how risks are identified, assessed, treated, monitored and reported (aligned to NIST RMF and ISO 27005).
NISTISO 27001ISO 27005SOC 2
Secure Software Development Policy
Embeds security through the software development lifecycle (NIST SSDF, ISO/IEC 27034).
NISTISO 27034ISO 27001SOC 2
Secure Onboarding & Offboarding Policy
Defines the security activities for joiners, internal movers, and leavers — from access provisioning to deprovisioning and exit interviews.
ISO 27001SOC 2NISTNIS2
Security Awareness & Training Policy
Defines mandatory cybersecurity training, awareness campaigns, and effectiveness measurement.
NISTISO 27001SOC 2NIS2
Vulnerability Management Policy
Establishes how vulnerabilities are discovered, prioritised, remediated, and verified across the technology stack.
NISTPCI DSSSOC 2ISO 27001
OWASP(1)
API Security Policy
Defines security requirements for internal and external APIs across design, deployment, and decommissioning.
ISO 27001NISTOWASPSOC 2
PCI DSS(10)
Configuration Management Policy
Defines how baseline configurations are established, deployed, and protected from unauthorised change (NIST CM family, ISO 27001 A.8).
NISTISO 27001SOC 2PCI DSS
Cryptographic Key Management Policy
Defines the full lifecycle of cryptographic keys aligned with NIST SP 800-57 and FIPS 140-3.
NISTISO 27001PCI DSSFIPS
Data Loss Prevention Policy
Defines controls to detect and prevent unauthorized exfiltration of sensitive data across email, endpoints, cloud, and network egress.
ISO 27001SOC 2PCI DSSGDPR
Logging & Monitoring Policy
Defines what is logged, how logs are protected and retained, and how monitoring drives detection and response.
NISTSOC 2ISO 27001PCI DSS
Network Security Policy
Defines network segmentation, perimeter and lateral controls, secure connectivity, and zero-trust principles.
NISTISO 27001SOC 2PCI DSS
Patch Management Policy
Defines how operating system, application, and firmware patches are evaluated, tested, deployed, and verified.
NISTISO 27001PCI DSSSOC 2
PCI DSS Cardholder Data Protection Policy
Protects cardholder data (CHD) and the Cardholder Data Environment (CDE) in alignment with PCI DSS v4.0.
PCI DSSISO 27001SOC 2
Penetration Testing Policy
Establishes the program for authorized adversarial security testing of systems and applications.
ISO 27001SOC 2PCI DSSNIST
Physical & Environmental Security Policy
Defines protection of facilities, equipment, and the environment supporting information systems (ISO 27001 Annex A.7).
ISO 27001SOC 2PCI DSSHIPAA
Vulnerability Management Policy
Establishes how vulnerabilities are discovered, prioritised, remediated, and verified across the technology stack.
NISTPCI DSSSOC 2ISO 27001
SAPIN2(1)
Anti-Bribery & Corruption Policy
Prohibits bribery and corruption in any form, aligned with FCPA (US), UK Bribery Act, Sapin II (France), and ISO 37001.
FCPAUK-BRIBERY-ACTSAPIN2ISO37001
SecNumCloud(1)
SecNumCloud Compliance Policy
Aligns the cloud service provider with the French ANSSI SecNumCloud qualification requirements.
SecNumCloudANSSIISO 27001GDPR
SOC 2(39)
Acceptable Use Policy
Defines acceptable and prohibited uses of company systems, devices, and networks.
SOC 2ISO 27001
Access Control Policy
Defines how users gain, change, and lose access to systems and data.
SOC 2ISO 27001
AI Acceptable Use Policy
Defines how employees may use generative AI and machine-learning tools — public chatbots, copilots, embedded assistants.
AI ActISO 42001ISO 27701SOC 2
Anti-Phishing & Social Engineering Policy
Establishes how the workforce recognises, reports, and is protected from phishing, vishing, smishing, and social engineering attacks.
ISO 27001SOC 2NIS2HIPAA
API Security Policy
Defines security requirements for internal and external APIs across design, deployment, and decommissioning.
ISO 27001NISTOWASPSOC 2
Asset Management Policy
Defines how IT assets are inventoried, classified, owned, and decommissioned.
SOC 2ISO 27001
Background Check Policy
Defines pre-employment background verification appropriate to role sensitivity, in compliance with local labour and privacy law.
ISO 27001SOC 2GDPRNIS2
Backup & Recovery Policy
Defines how data is backed up, retained, and restored to ensure business continuity.
SOC 2ISO 27001
Business Continuity Policy
Establishes the business continuity management system aligned with ISO 22301 — BIA, plans, exercises, governance.
ISO 22301DORASOC 2NIS2
BYOD Policy
Defines acceptable use of personal devices for work, with security controls and reimbursement terms.
SOC 2ISO 27001
Capacity Management Policy
Ensures system capacity is monitored and planned to meet current and forecasted business demand (ISO 27001 A.8.6, SOC 2 A1).
ISO 27001SOC 2ISO 22301
Change Management Policy
Defines how changes to production systems are proposed, reviewed, deployed, and rolled back.
SOC 2ISO 27001
Configuration Management Policy
Defines how baseline configurations are established, deployed, and protected from unauthorised change (NIST CM family, ISO 27001 A.8).
NISTISO 27001SOC 2PCI DSS
Cyber Essentials Policy
Documents the five technical controls required by the UK NCSC Cyber Essentials and Cyber Essentials Plus schemes.
Cyber EssentialsISO 27001SOC 2
Data Loss Prevention Policy
Defines controls to detect and prevent unauthorized exfiltration of sensitive data across email, endpoints, cloud, and network egress.
ISO 27001SOC 2PCI DSSGDPR
Data Protection Policy
Defines how personal and sensitive data is collected, processed, stored, and protected, aligned with GDPR essentials.
GDPRISO 27001SOC 2
Disciplinary Policy for Cybersecurity Violations
Defines the consistent, proportionate disciplinary process for workforce violations of information security policies.
ISO 27001SOC 2NIS2HIPAA
Email Use Policy
Defines acceptable, secure, and professional use of company email.
SOC 2ISO 27001
Encryption Policy
Defines cryptographic standards for data at rest, in transit, and key management practices.
SOC 2ISO 27001GDPR
Identity & Access Management Policy
Establishes IAM principles, identity proofing, authentication, authorisation, federation, and lifecycle management.
NISTISO 27001SOC 2NIS2
Incident Communication Playbook
Defines who communicates what, to whom, and when during a cybersecurity incident — internal, customer, regulator, and public.
ISO 27001SOC 2GDPRNIS2
Incident Response Policy
Defines how the organization detects, responds to, and learns from security incidents.
SOC 2ISO 27001GDPR
Information Classification Policy
Defines how information is classified by sensitivity and the protections each tier requires.
SOC 2ISO 27001NIST
Cloud Security Policy (ISO 27017)
Extends ISO 27001 controls with cloud-specific guidance per ISO/IEC 27017, defining shared responsibility for security in cloud services.
ISO 27017ISO 27001SOC 2ISO 27018
Logging & Monitoring Policy
Defines what is logged, how logs are protected and retained, and how monitoring drives detection and response.
NISTSOC 2ISO 27001PCI DSS
Network Security Policy
Defines network segmentation, perimeter and lateral controls, secure connectivity, and zero-trust principles.
NISTISO 27001SOC 2PCI DSS
Open-Source Software Policy
Defines how open-source dependencies are evaluated, approved, monitored, and contributed to.
ISO 27001NISTSOC 2
Password Policy
Defines password requirements and management practices.
SOC 2ISO 27001
Patch Management Policy
Defines how operating system, application, and firmware patches are evaluated, tested, deployed, and verified.
NISTISO 27001PCI DSSSOC 2
PCI DSS Cardholder Data Protection Policy
Protects cardholder data (CHD) and the Cardholder Data Environment (CDE) in alignment with PCI DSS v4.0.
PCI DSSISO 27001SOC 2
Penetration Testing Policy
Establishes the program for authorized adversarial security testing of systems and applications.
ISO 27001SOC 2PCI DSSNIST
Physical & Environmental Security Policy
Defines protection of facilities, equipment, and the environment supporting information systems (ISO 27001 Annex A.7).
ISO 27001SOC 2PCI DSSHIPAA
Remote Work Policy
Sets security and operational expectations for employees working outside the office.
SOC 2ISO 27001
Risk Management Policy
Defines how risks are identified, assessed, treated, monitored and reported (aligned to NIST RMF and ISO 27005).
NISTISO 27001ISO 27005SOC 2
Secure Software Development Policy
Embeds security through the software development lifecycle (NIST SSDF, ISO/IEC 27034).
NISTISO 27034ISO 27001SOC 2
Secure Onboarding & Offboarding Policy
Defines the security activities for joiners, internal movers, and leavers — from access provisioning to deprovisioning and exit interviews.
ISO 27001SOC 2NISTNIS2
Security Awareness & Training Policy
Defines mandatory cybersecurity training, awareness campaigns, and effectiveness measurement.
NISTISO 27001SOC 2NIS2
Vendor & Third-Party Management Policy
Defines how vendors and third parties are assessed, contracted, monitored, and offboarded.
SOC 2ISO 27001GDPR
Vulnerability Management Policy
Establishes how vulnerabilities are discovered, prioritised, remediated, and verified across the technology stack.
NISTPCI DSSSOC 2ISO 27001
SOX(2)
Records Management Policy
Governs the creation, classification, retention, access, and destruction of organizational records (broader than data retention).
GDPRISO 27001ISO15489SOX
Whistleblower Policy
Provides safe internal and external reporting channels and anti-retaliation protections, aligned with EU Directive 2019/1937 and national implementations.
EU-WHISTLEBLOWERISO 27001SOX
TISAX(1)
TISAX Policy
Aligns information security with the TISAX (Trusted Information Security Assessment eXchange) catalogue used across the EU automotive industry.
TISAXISO 27001GDPR
UK-BRIBERY-ACT(1)
Anti-Bribery & Corruption Policy
Prohibits bribery and corruption in any form, aligned with FCPA (US), UK Bribery Act, Sapin II (France), and ISO 37001.
FCPAUK-BRIBERY-ACTSAPIN2ISO37001
Ready to generate your policies?
Create a free account and start drafting your policies in minutes.
Start free