Background
Each framework has its own unique set of requirements, standards, and policies that must be implemented to achieve and maintain compliance. Understanding which policies are essential for each framework brings efficiency, allows for prioritization, provides clear guidance for implementation, and helps organizations develop a systematic approach in streamlining compliance efforts and properly allocate resources.
Our compliance advisors team has written guidance articles to provide more context for many of the polices. The policy name hyperlinks to guidance articles where applicable.
Policies to Framework Summary Table
Policies to Framework Summary Table
Policy | Description | Policy Control | Applicable Framework |
The Acceptable Use Policy specifies acceptable use of end-user computing devices and technology. | DCF-37 | CCM CCPA CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA Drata Essentials FedRAMP FFIEC GDPR HIPAA ISO 27001:22 ISO 27017:15 ISO 27701:19 ISO 42001:23 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The Asset Management Policy defines the implementation and documentation of asset management practices, plans, processes & procedures within the organization. | DCF-182 | CCM CCPA CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA Drata Essentials FedRAMP FFIEC GDPR HIPAA ISO 27001:22 ISO 27017:15 ISO 27701:19 ISO 42001:23 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The Backup Policy defines the procedures and schedule for information from business applications are copied to ensure data recoverability in the event of accidental data deletion, corrupted information or some kind of a system outage. | DCF-169 | CCM 4o mini | |
Breach Notification Policy | The Breach Notification Policy defines how breaches are reported and managed, as well as the thresholds for notification of various parties, per HIPAA requirements. | DCF-193 | HIPAA |
Business Associate Policy | The Business Associate Policy provides the process for Business Associate Agreements (BAA) and the contractual arrangements as required by the HIPAA Privacy and Security Rules. | DCF-195 | HIPAA |
The Business Continuity Plan (BCP) outlines how the business will continue operations during an unplanned disruption in service. | DCF-166 | CCM CCPA CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA FedRAMP FFIEC GDPR HIPAA ISO 27001:13 ISO 27001:22 ISO 27017:15 ISO 27701:19 ISO 42001:23 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The Code of Conduct defines behavior expected from employees towards their colleagues, supervisors, and the overall organization. | DCF-44 | CCM CCPA COBIT CPRA Cyber Essentials DORA FedRAMP FFIEC GDPR HIPAA ISO 27001:13 ISO 27001:22 ISO 27017:15 ISO 27701:19 ISO 42001:23 Microsoft SSPA NIS 2 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 SOC 2 SOX ITGC | |
The Data Classification Policy defines the high level objectives and implementation instructions for the company's data classification scheme. | DCF-102 | CCM CCPA CMMC 2.0 COBIT CPRA Cyber Essentials DORA FedRAMP FFIEC GDPR HIPAA ISO 27001:13 ISO 27001:22 ISO 27017:15 ISO 27701:19 ISO 42001:23 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The Data Retention Policy outlines when data no longer serves its purpose and should be deleted, or if the data retention period has been met. | DCF-101,DCF-123 | CCM CCPA CMMC 2.0 COBIT CPRA Cyber Essentials DORA FedRAMP FFIEC GDPR HIPAA ISO 27001:13 ISO 27001:22 ISO 27017:15 ISO 27701:19 ISO 42001:23 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The Data Protection Policy outlines many of the procedures and technical controls in support of data protection. | DCF-45 | CCPA CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA FedRAMP FFIEC GDPR HIPAA ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 27701:2019 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The Disaster Recovery Plan (DRP) is the documented, structured approach to how the company can quickly resume work after an unplanned incident. | DCF-25 | CCPA CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA FedRAMP FFIEC GDPR HIPAA ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 27701:2019 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The Encryption Policy establishes the types of data, devices and media that need to be encrypted, when encryption must be used, and the minimum standards of the software and techniques used for encryption. | DCF-181 | CCM CCPA CMMC 2.0 COBIT CPRA Cyber Essentials DORA FedRAMP FFIEC GDPR HIPAA ISO 27001:13 ISO 27001:22 ISO 27017:15 ISO 27701:19 ISO 42001:23 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The Incident Response Plan establishes procedures and controls to ensure detection of security vulnerabilities and incidents, as well as quick reaction and response to security breaches. | DCF-159 | CCM CCPA CIS 8.1 CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA Drata Essentials FedRAMP FFIEC GDPR HIPAA HITRUST ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 27701:2019 ISO 42001:2023 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The Information Security Policy outlines the rules, policies and procedures designed to ensure all users and networks within the company meet minimum IT security and data protection security requirements. | DCF-13 | CCM CCPA CIS 8.1 CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA Drata Essentials FedRAMP FFIEC GDPR HIPAA HITRUST ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 27701:2019 ISO 42001:2023 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The Password Policy describes the company's procedure to select and securely manage passwords. | DCF-68 | CCM CCPA CIS 8.1 CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA Drata Essentials FedRAMP FFIEC GDPR HIPAA HITRUST ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 27701:2019 ISO 42001:2023 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
Personal Data Management Policy | The Personal Data Management Policy outlines policies and procedures to manage personal data across the organization in compliance with privacy laws and regulations. | DCF-545 | CCPA CPRA GDPR HITRUST |
The Physical Security Policy establishes the rules governing controls, monitoring, and removal of physical access to company's facilities. | DCF-94 | CCM CCPA CIS 8.1 CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA FedRAMP FFIEC GDPR HIPAA HITRUST ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27701:2019 ISO 42001:2023 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
Privacy, Use, and Disclosure Policy | The Privacy, Use, and Disclosure Policy covers the HIPAA Privacy Rule and ensures protected health information (PHI) is only released with proper documentation to authorized parties. | DCF-192 | HIPAA |
The Risk Assessment Policy defines the methodology for the assessment and treatment of information security risks within the company, and to define the acceptable level of risk as set by the company's leadership. | DCF-15 | CCM CCPA CIS 8.1 CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA FedRAMP FFIEC GDPR HIPAA HITRUST ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27701:2019 ISO 42001:2023 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
This policy defines the high-level requirements for providing business program managers, business project managers, technical project managers, and other program and project stakeholders guidance to support the approval, planning, and life cycle development of the company's software systems. | DCF-31 | CCM CCPA CIS 8.1 CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA Drata Essentials FedRAMP FFIEC GDPR HIPAA HITRUST ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 27701:2019 ISO 42001:2023 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The System Access Control Policy defines procedures to onboard and offboard users to technical infrastructure in a manner that minimizes the risk of information loss or exposure. | DCF-10 | CCM CCPA CIS 8.1 CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA Drata Essentials FedRAMP FFIEC GDPR HIPAA HITRUST ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 27701:2019 ISO 42001:2023 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The Vendor Management Policy defines the rules for relationships with the company's Information Technology (IT) vendors and partners. | DCF-168 | CCM CCPA CIS 8.1 CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA Drata Essentials FedRAMP FFIEC GDPR HIPAA HITRUST ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 27701:2019 ISO 42001:2023 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
The Vulnerability Management Policy outlines the company's procedures to uncover, classify, track, and remediate security vulnerabilities. | DCF-183 | CCM CCPA CIS 8.1 CMMC 2.0 COBIT 2019 CPRA Cyber Essentials DORA Drata Essentials FedRAMP FFIEC GDPR HIPAA HITRUST ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 27701:2019 ISO 42001:2023 Microsoft SSPA NIS 2 NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
NOTE: The ISMS Plan is NOT required to be accepted by employees. The ISMS Plan covers all requirements necessary for the establishment of the company's Information Security Management System. | DCF-184 | ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 | |
The Change Management Policy outlines the plans and procedures in place for managing changes across the organization, including infrastructure, systems, and applications. | DCF-567,DCF-305 | CCM CCPA CIS 8.1 CMMC 2.0 COBIT 2019 CPRA Cyber Essentials Cyber Essentials v3.2 DORA FedRAMP FFIEC GDPR HIPAA HITRUST ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27701:2019 ISO 42001:2023 Microsoft SSPA NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 NIS 2 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC | |
Maintenance Management Policy | The Maintenance Management Policy ensures IT resources are maintained in compliance with security policies, standards, and procedures. | DCF-575 | CIS 8.1 CMMC 2.0 DORA FedRAMP HITRUST NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST CSF 2.0 |
System and Information Integrity Policy | The System Integrity Plan ensures the implementation of security best practices with regard to system configuration, security, and error handling | DCF-576 | CIS 8.1 CMMC 2.0 DORA FedRAMP HITRUST NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST CSF 2.0 |
System and Services Acquisition Policy | The System and Service Acquisition Policy ensures that resources and information systems are acquired with security requirements to meet the information systems mission and business objectives. | DCF-578 | CMMC 2.0 DORA FedRAMP NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIS 2
|
The System Security Planning Policy outlines how an organization establishes its resources and information systems with effective security controls and control enhancements that reflect applicable rules, regulations, guidelines and other obligations. | DCF-577 | CCM CMMC 2.0 FedRAMP NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 | |
Information Governance Policy | The Information Governance Policy outlines policies and procedures to manage information governance across the organization in compliance with security policies, standards, and procedures. | DCF-668 | CCM DORA HITRUST |
Shared Responsibility Policy | The Shared Responsibility Policy outlines policies and procedures to delineate and manage shared security responsibilities between Cloud Service Providers (CSP) and Cloud Service Customers (CSC). | DCF-669 | CCM ISO 27017:2015 ISO 27018:2019 |
Network Security Policy | The Network Security Policy outlines requirements for deployment, management and operation of network security controls at the company. | DCF-678 | CCPA CMMC 2.0 CIS 8.1 COBIT 2019 CPRA Cyber Essentials DORA FedRAMP FFIEC GDPR HIPAA HITRUST ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27701:2019 ISO 42001:2023 Microsoft SSPA NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 NIS 2 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC |
Public Cloud PII Protection Policy | The Public Cloud PII Protection Policy outlines the safeguards in place for the personally identifiable information of the company's customers that may be processed in the company's public cloud service, to ensure that the company complies with the legal, statutory, regulatory, and contractual requirements necessary to process personally identifiable information, and to provide transparency to their customers. | DCF-697 | HITRUST ISO 27018:2019 NIST AI RMF |
AI Governance Policy | The AI Governance Policy outlines the company's rules and requirements for responsible AI practices. | DCF-800 | ISO 42001:2023 NIST AI RMF |
AI Risk Management Policy | The AI Risk Management Policy outlines the scope and methodology or AI risk assessments, evaluation, and mitigation. | DCF-801 | ISO 42001:2023 NIST AI RMF |
AI System Development and Evaluation Policy | The AI Development and Evaluation Policy outlines the company's practices, roles, and responsibilities in the safe design, development, deployment, use, and evaluation of AI systems to minimize negative impacts. | DCF-806 | ISO 42001:2023 NIST AI RMF |
PCI DSS Compliance Policy | The PCI DSS Compliance Policy outlines the safeguards and activities that the company will implement to achieve compliance with Payment Card Industry Data Security Standard (PCI DSS). | DCF-740 | PCI DSS v4.0 PCI DSS v4.0.1 |
The Logging and Monitoring policy outlines requirements for audit logging and monitoring of system activity. Frequent monitoring and maintenance of audit trails are required to effectively assess information system controls, operations, and general security. | DCF-741 | CCPA CMMC 2.0 CIS 8.1 COBIT 2019 CPRA Cyber Essentials Cyber Essentials v3.2 DORA FedRAMP FFIEC GDPR HIPAA HITRUST ISO 27001:2013 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 27701:2019 ISO 42001:2023 Microsoft SSPA NIST 800-171r2 NIST 800-171r3 NIST 800-53r5 NIST AI RMF NIST CSF 1.1 NIST CSF 2.0 NIS 2 PCI DSS v3.2.1 PCI DSS v4.0 PCI DSS v4.0.1 SOC 2 SOX ITGC
|