Skip to main content
All CollectionsCompliance
Policies to Framework Summary
Policies to Framework Summary
Markindey Sineus avatar
Written by Markindey Sineus
Updated over a week ago

Background

Each framework has its own unique set of requirements, standards, and policies that must be implemented to achieve and maintain compliance. Understanding which policies are essential for each framework brings efficiency, allows for prioritization, provides clear guidance for implementation, and helps organizations develop a systematic approach in streamlining compliance efforts and properly allocate resources.

Our compliance advisors team has written guidance articles to provide more context for many of the polices. The policy name hyperlinks to guidance articles where applicable.

Policies to Framework Summary Table

Policy

Description

Policy Control

Applicable Framework

The Acceptable Use Policy specifies acceptable use of end-user computing devices and technology.

DCF-37

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Asset Management Policy defines the implementation and documentation of asset management practices, plans, processes & procedures within the organization.

DCF-182

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Backup Policy defines the procedures and schedule for information from business applications are copied to ensure data recoverability in the event of accidental data deletion, corrupted information or some kind of a system outage.

DCF-169

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

Breach Notification Policy

The Breach Notification Policy defines how breaches are reported and managed, as well as the thresholds for notification of various parties, per HIPAA requirements.

DCF-193

HIPAA

Business Associate Policy

The Business Associate Policy provides the process for Business Associate Agreements (BAA) and the contractual arrangements as required by the HIPAA Privacy and Security Rules.

DCF-195

HIPAA

The Business Continuity Plan (BCP) outlines how the business will continue operations during an unplanned disruption in service.

DCF-166

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Code of Conduct defines behavior expected from employees towards their colleagues, supervisors, and the overall organization.

DCF-44

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Data Classification Policy defines the high level objectives and implementation instructions for the company's data classification scheme.

DCF-102

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Data Retention Policy outlines when data no longer serves its purpose and should be deleted, or if the data retention period has been met.

DCF-101
โ€‹
DCF-123

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Data Protection Policy outlines many of the procedures and technical controls in support of data protection.

DCF-45

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Disaster Recovery Plan (DRP) is the documented, structured approach to how the company can quickly resume work after an unplanned incident.

DCF-25

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Encryption Policy establishes the types of data, devices and media that need to be encrypted, when encryption must be used, and the minimum standards of the software and techniques used for encryption.

DCF-181

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Incident Response Plan establishes procedures and controls to ensure detection of security vulnerabilities and incidents, as well as quick reaction and response to security breaches.

DCF-159

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Information Security Policy outlines the rules, policies and procedures designed to ensure all users and networks within the company meet minimum IT security and data protection security requirements.

DCF-13

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Password Policy describes the company's procedure to select and securely manage passwords.

DCF-68

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

Personal Data Management Policy

The Personal Data Management Policy outlines policies and procedures to manage personal data across the organization in compliance with privacy laws and regulations.

DCF-545

  • CPRA

  • GDPR

  • CCPA

The Physical Security Policy establishes the rules governing controls, monitoring, and removal of physical access to company's facilities.

DCF-94

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

Privacy, Use, and Disclosure Policy

The Privacy, Use, and Disclosure Policy covers the HIPAA Privacy Rule and ensures protected health information (PHI) is only released with proper documentation to authorized parties.

DCF-192

HIPAA

The Risk Assessment Policy defines the methodology for the assessment and treatment of information security risks within the company, and to define the acceptable level of risk as set by the company's leadership.

DCF-15

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

This policy defines the high-level requirements for providing business program managers, business project managers, technical project managers, and other program and project stakeholders guidance to support the approval, planning, and life cycle development of the company's software systems.

DCF-31

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The System Access Control Policy defines procedures to onboard and offboard users to technical infrastructure in a manner that minimizes the risk of information loss or exposure.

DCF-10

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Vendor Management Policy defines the rules for relationships with the company's Information Technology (IT) vendors and partners.

DCF-168

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

The Vulnerability Management Policy outlines the company's procedures to uncover, classify, track, and remediate security vulnerabilities.

DCF-183

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

Information Security Management System (ISMS) Plan 2022

NOTE: The ISMS Plan is NOT required to be accepted by employees.

The ISMS Plan covers all requirements necessary for the establishment of the company's Information Security Management System.

DCF-184

  • ISO 27001:13

  • ISO 27001:22

The Change Management Policy outlines the plans and procedures in place for managing changes across the organization, including infrastructure, systems, and applications.

DCF-567


DCF-305

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • PCI 3.2.1

  • PCI 4.0

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

Maintenance Management Policy

The Maintenance Management Policy ensures IT resources are maintained in compliance with security policies, standards, and procedures.

DCF-575

  • NIST SP 800-53r5

  • NIST CSF

  • FedRAMP

System and Information Integrity Policy

The System Integrity Plan ensures the implementation of security best practices with regard to system configuration, security, and error handling

DCF-576

  • NIST SP 800-53r5

  • NIST CSF

  • FedRAMP

System and Services Acquisition Policy

The System and Service Acquisition Policy ensures that resources and information systems are acquired with security requirements to meet the information systems mission and business objectives.

DCF-578

  • NIST SP 800-53r5

  • FedRAMP

System Security Planning Policy

The System Security Planning Policy outlines how an organization establishes its resources and information systems with effective security controls and control enhancements that reflect applicable rules, regulations, guidelines and other obligations.

DCF-577

  • NIST SP 800-53r5

  • CCM

  • FedRAMP

Information Governance Policy

The Information Governance Policy outlines policies and procedures to manage information governance across the organization in compliance with security policies, standards, and procedures.

DCF-668

  • CCM

Shared Responsibility Policy

The Shared Responsibility Policy outlines policies and procedures to delineate and manage shared security responsibilities between Cloud Service Providers (CSP) and Cloud Service Customers (CSC).

DCF-669

  • CCM

  • ISO 27018:19

  • ISO 27017:15

Network Security Policy

The Network Security Policy outlines requirements for deployment, management and operation of network security controls at the company.

DCF-678

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

Public Cloud PII Protection Policy

The Public Cloud PII Protection Policy outlines the safeguards in place for the personally identifiable information of the company's customers that may be processed in the company's public cloud service, to ensure that the company complies with the legal, statutory, regulatory, and contractual requirements necessary to process personally identifiable information, and to provide transparency to their customers.

DCF-697

ISO 27018:19

AI Governance Policy

The AI Governance Policy outlines the company's rules and requirements for responsible AI practices.

DCF-800


DCF-163

NIST AI RMF

AI Risk Management Policy

The AI Risk Management Policy outlines the scope and methodology or AI risk assessments, evaluation, and mitigation.

DCF-801

NIST AI RMF

AI System Development and Evaluation Policy

The AI Development and Evaluation Policy outlines the company's practices, roles, and responsibilities in the safe design, development, deployment, use, and evaluation of AI systems to minimize negative impacts.

DCF-806

NIST AI RMF

PCI DSS Compliance Policy

The PCI DSS Compliance Policy outlines the safeguards and activities that the company will implement to achieve compliance with Payment Card Industry Data Security Standard (PCI DSS).

DCF-740

PCI 4.0

Logging and Monitoring Policy

The Logging and Monitoring policy outlines requirements for audit logging and monitoring of system activity. Frequent monitoring and maintenance of audit trails are required to effectively assess information system controls, operations, and general security.

DCF-741

  • SOC 2

  • ISO 27001:13

  • ISO 27001:22

  • ISO 27017:15

  • ISO 27018:19

  • HIPAA

  • GDPR

  • PCI 3.2.1

  • PCI 4.0

  • CCPA / CPRA

  • CCM

  • NIST SP 800-53r5

  • NIST CSF

  • NIST AI RMF

  • FedRAMP

  • Cyber Essentials

Did this answer your question?