Background
Each framework has its own unique set of requirements, standards, and policies that must be implemented to achieve and maintain compliance. Understanding which policies are essential for each framework brings efficiency, allows for prioritization, provides clear guidance for implementation, and helps organizations develop a systematic approach in streamlining compliance efforts and properly allocate resources.
Our compliance advisors team has written guidance articles to provide more context for many of the polices. The policy name hyperlinks to guidance articles where applicable.
Policies to Framework Summary Table
Policies to Framework Summary Table
Policy | Description | Policy Control | Applicable Framework |
The Acceptable Use Policy specifies acceptable use of end-user computing devices and technology. | DCF-37 | SOC2 ISO 27001:13 ISO 27001:22 ISO 27017:15 ISO 27018:19 ISO 27701:19 HIPAA PCI CCPA / CPRA CCM v4 FedRAMP Cyber Essentials NIST 800-171r2 NIST AI RMF NIST CSF NIST CSF 2.0 NIST SP 800-53r5 NIS 2 CMMC COBIT FFIEC GDPR MS SSPA SOX ITGC | |
The Asset Management Policy defines the implementation and documentation of asset management practices, plans, processes & procedures within the organization. | DCF-182 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27017:15 ISO 27018:19 ISO 27701:19 HIPAA CCPA NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCM FedRAMP Cyber Essentials CMMC COBIT FFIEC GDPR MS SSPA PCI SOX ITGC | |
The Backup Policy defines the procedures and schedule for information from business applications are copied to ensure data recoverability in the event of accidental data deletion, corrupted information or some kind of a system outage. | DCF-169 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27017:15 ISO 27018:19 ISO 27701:19 HIPAA PCI GDPR NIST ST 800-53r5 NIST AI RMF NIST CSF 2.0 NIST 800-171r2 NIST CSF NIS 2 CCM FedRAMP Cyber Essentials CCPA / CPRA COBIT FFIEC MS SSPA SOX ITGC | |
Breach Notification Policy | The Breach Notification Policy defines how breaches are reported and managed, as well as the thresholds for notification of various parties, per HIPAA requirements. | DCF-193 | HIPAA |
Business Associate Policy | The Business Associate Policy provides the process for Business Associate Agreements (BAA) and the contractual arrangements as required by the HIPAA Privacy and Security Rules. | DCF-195 | HIPAA |
The Business Continuity Plan (BCP) outlines how the business will continue operations during an unplanned disruption in service. | DCF-166 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA PCI GDPR CCPA / CPRA NIST ST 800-53r5 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 COBIT CCM FedRAMP Cyber Essentials FFIEC MS SSPA SOX ITGC | |
The Code of Conduct defines behavior expected from employees towards their colleagues, supervisors, and the overall organization. | DCF-44 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA CCM NIST CSF 2.0 NIST 2 NIST AI RMF NIST CSF NIST ST 800-53r5 PCI CCPA / CPRA COBIT Cyber Essentials FedRAMP FFIEC GDPR MS SSPA SOX ITGC | |
The Data Classification Policy defines the high level objectives and implementation instructions for the company's data classification scheme. | DCF-102 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA CCPA / CPRA CCM NIST ST 800-53r5 NIST 800-171v2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 FedRAMP CMMC COBIT Cyber Essentials FFIEC GDPR MS SSPA PCI SOX ITGC | |
The Data Retention Policy outlines when data no longer serves its purpose and should be deleted, or if the data retention period has been met. | DCF-101,DCF-123 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCPA / CPRA CCM FedRAMP CMMC COBIT Cyber Essentials FFIEC GDPR MS SSPA SOX ITGC | |
The Data Protection Policy outlines many of the procedures and technical controls in support of data protection. | DCF-45 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA PCI GDPR CCPA CCM NIST ST 800-53r5 NIST 800-171r2 NIST AI RMF NIST CSF NIS 2 CMMC COBIT Cyber Essentials FFIEC MS SSPA FedRAMP SOX ITGC | |
The Disaster Recovery Plan (DRP) is the documented, structured approach to how the company can quickly resume work after an unplanned incident. | DCF-25 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI CCPA / CPRA CCM NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 COBIT Cyber Essentials FedRAMP FFIEC MS SSPA SOX ITGC | |
The Encryption Policy establishes the types of data, devices and media that need to be encrypted, when encryption must be used, and the minimum standards of the software and techniques used for encryption. | DCF-181 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST AI RMF NIST CSF NIST CSF 2.0 NIS 2 CMMC CCPA / CPRA CCM COBIT Cyber Essentials FedRAMP FFIEC MS SSPA SOX ITGC | |
The Incident Response Plan establishes procedures and controls to ensure detection of security vulnerabilities and incidents, as well as quick reaction and response to security breaches. | DCF-159 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 FedRAMP CCPA / CPRA CCM CMMC COBIT Cyber Essentials FFIEC MS SSPA SOX ITGC | |
The Information Security Policy outlines the rules, policies and procedures designed to ensure all users and networks within the company meet minimum IT security and data protection security requirements. | DCF-13 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCM FedRAMP CMMC CCPA / CPRA COBIT Cyber Essentials FFIEC MS SSPA SOX ITGC | |
The Password Policy describes the company's procedure to select and securely manage passwords. | DCF-68 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCM FedRAMP CMMC CCPA / CPRA COBIT Cyber Essentials FFIEC MS SSPA SOX ITGC | |
Personal Data Management Policy | The Personal Data Management Policy outlines policies and procedures to manage personal data across the organization in compliance with privacy laws and regulations. | DCF-545 | CPRA GDPR CCPA |
The Physical Security Policy establishes the rules governing controls, monitoring, and removal of physical access to company's facilities. | DCF-94 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCM FedRAMP CMMC CCPA / CPRA COBIT Cyber Essentials FFIEC MS SSPA SOX ITGC | |
Privacy, Use, and Disclosure Policy | The Privacy, Use, and Disclosure Policy covers the HIPAA Privacy Rule and ensures protected health information (PHI) is only released with proper documentation to authorized parties. | DCF-192 | HIPAA |
The Risk Assessment Policy defines the methodology for the assessment and treatment of information security risks within the company, and to define the acceptable level of risk as set by the company's leadership. | DCF-15 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCM FedRAMP CMMC CCPA / CPRA COBIT Cyber Essentials FFIEC MS SSPA SOX ITGC | |
This policy defines the high-level requirements for providing business program managers, business project managers, technical project managers, and other program and project stakeholders guidance to support the approval, planning, and life cycle development of the company's software systems. | DCF-31 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCM FedRAMP CMMC CCPA / CPRA COBIT Cyber Essentials FFIEC MS SSPA SOX ITGC | |
The System Access Control Policy defines procedures to onboard and offboard users to technical infrastructure in a manner that minimizes the risk of information loss or exposure. | DCF-10 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCM FedRAMP CMMC CCPA / CPRA COBIT Cyber Essentials FFIEC MS SSPA SOX ITGC | |
The Vendor Management Policy defines the rules for relationships with the company's Information Technology (IT) vendors and partners. | DCF-168 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCM FedRAMP CMMC CCPA / CPRA COBIT Cyber Essentials FFIEC MS SSPA SOX ITGC | |
The Vulnerability Management Policy outlines the company's procedures to uncover, classify, track, and remediate security vulnerabilities. | DCF-183 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCM FedRAMP CMMC CCPA / CPRA COBIT Cyber Essentials FFIEC MS SSPA SOX ITGC | |
NOTE: The ISMS Plan is NOT required to be accepted by employees. The ISMS Plan covers all requirements necessary for the establishment of the company's Information Security Management System. | DCF-184 | ISO 27001:13 ISO 27001:22 ISO 27017:15 ISO 27018:19 NIS 2 | |
The Change Management Policy outlines the plans and procedures in place for managing changes across the organization, including infrastructure, systems, and applications. | DCF-567,DCF-305 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCM FedRAMP CMMC CCPA / CPRA COBIT Cyber Essentials FFIEC MS SSPA SOX ITGC | |
Maintenance Management Policy | The Maintenance Management Policy ensures IT resources are maintained in compliance with security policies, standards, and procedures. | DCF-575 | NIST SP 800-53r5 NIST SP 800-171r2 NIST CSF NIST CSF 2.0 CMMC FedRAMP |
System and Information Integrity Policy | The System Integrity Plan ensures the implementation of security best practices with regard to system configuration, security, and error handling | DCF-576 | NIST SP 800-53r5 NIST SP 800-171r2 NIST CSF NIST CSF 2.0 FedRAMP CMMC |
System and Services Acquisition Policy | The System and Service Acquisition Policy ensures that resources and information systems are acquired with security requirements to meet the information systems mission and business objectives. | DCF-578 | NIST SP 800-53r5 NIST SP 800-171r2 FedRAMP CMMC
|
The System Security Planning Policy outlines how an organization establishes its resources and information systems with effective security controls and control enhancements that reflect applicable rules, regulations, guidelines and other obligations. | DCF-577 | NIST SP 800-53r5 NIST SP 800-171r2 CCM CMMC FedRAMP | |
Information Governance Policy | The Information Governance Policy outlines policies and procedures to manage information governance across the organization in compliance with security policies, standards, and procedures. | DCF-668 | CCM |
Shared Responsibility Policy | The Shared Responsibility Policy outlines policies and procedures to delineate and manage shared security responsibilities between Cloud Service Providers (CSP) and Cloud Service Customers (CSC). | DCF-669 | CCM ISO 27018:19 ISO 27017:15 |
Network Security Policy | The Network Security Policy outlines requirements for deployment, management and operation of network security controls at the company. | DCF-678 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCM FedRAMP CMMC CCPA / CPRA COBIT Cyber Essentials FFIEC MS SSPA SOX ITGC |
Public Cloud PII Protection Policy | The Public Cloud PII Protection Policy outlines the safeguards in place for the personally identifiable information of the company's customers that may be processed in the company's public cloud service, to ensure that the company complies with the legal, statutory, regulatory, and contractual requirements necessary to process personally identifiable information, and to provide transparency to their customers. | DCF-697 | ISO 27018:19 NIST AI RMF |
AI Governance Policy | The AI Governance Policy outlines the company's rules and requirements for responsible AI practices. | DCF-800 | NIST AI RMF |
AI Risk Management Policy | The AI Risk Management Policy outlines the scope and methodology or AI risk assessments, evaluation, and mitigation. | DCF-801 | NIST AI RMF |
AI System Development and Evaluation Policy | The AI Development and Evaluation Policy outlines the company's practices, roles, and responsibilities in the safe design, development, deployment, use, and evaluation of AI systems to minimize negative impacts. | DCF-806 | NIST AI RMF |
PCI DSS Compliance Policy | The PCI DSS Compliance Policy outlines the safeguards and activities that the company will implement to achieve compliance with Payment Card Industry Data Security Standard (PCI DSS). | DCF-740 | PCI |
The Logging and Monitoring policy outlines requirements for audit logging and monitoring of system activity. Frequent monitoring and maintenance of audit trails are required to effectively assess information system controls, operations, and general security. | DCF-741 | SOC 2 ISO 27001:13 ISO 27001:22 ISO 27701:19 ISO 27017:15 ISO 27018:19 HIPAA GDPR PCI NIST ST 800-53r5 NIST 800-171r2 NIST CSF NIST CSF 2.0 NIST AI RMF NIS 2 CCM FedRAMP CMMC CCPA / CPRA COBIT Cyber Essentials FFIEC MS SSPA SOX ITGC |