Background
Each framework will have its own unique set of requirements, standards, and policies that must be implemented to achieve and maintain compliance. Understanding which policies are essential for each framework brings efficiency, allows for prioritization, provides clear guidance for implementation, and overall helps organizations develop a systematic approach in streamlining compliance efforts and properly allocate resources.
List of which Policies Apply to each Framework
SOC 2
Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity Plan
Code of Conduct
Data Classification Policy - if including Confidentiality and/or Processing Integrity TSC
Data Retention Policy - if including Confidentiality and/or Privacy TSC
Data Protection Policy
Disaster Recovery Plan
Encryption Policy
Incident Response Plan
Information Security Policy
Password Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy
ISO 27001:2013
Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity Plan
Code of Conduct
Data Classification Policy
Data Retention Policy
Data Protection Policy
Disaster Recovery Plan
Encryption Policy
Incident Response Plan
Information Security Policy
Password Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy
Information Security Management System (ISMS) Plan 2013
ISO 27001:2022
Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity Plan
Code of Conduct
Data Classification Policy
Data Retention Policy
Data Protection Policy
Disaster Recovery Plan
Encryption Policy
Incident Response Plan
Information Security Policy
Password Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy
Information Security Management System (ISMS) Plan 2022
Change Management Policy
HIPAA
Acceptable Use Policy
Asset Management Policy
Backup Policy
Breach Notification Policy
Business Associate Policy
Business Continuity Plan
Code of Conduct
Data Classification Policy (Privacy Version)
Data Retention Policy (Privacy Version)
Data Protection Policy (Privacy Version)
Disaster Recovery Plan
Encryption Policy
Incident Response Plan (Privacy Version)
Information Security Policy
Password Policy
Physical Security Policy
Privacy, Use, and Disclosure Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy (Privacy Version)
Vendor Management Policy
Vulnerability Management Policy
PCI-DSS v3.2
Acceptable Use Policy - if required to complete either SAQ D or C
Asset Management Policy
Backup Policy - if required to complete either SAQ D, A-EP, or C
Business Continuity Plan - if required to complete either SAQ D, A-EP, or C
Code of Conduct
Data Classification Policy
Data Retention Policy - if required to complete SAQ D
Data Protection Policy - if required to complete SAQ D
Disaster Recovery Plan - if required to complete either SAQ D, A-EP, or C
Encryption Policy - if required to complete either SAQ D, A-EP, or C
Incident Response Plan - if required to complete either SAQ D, A, A-EP, or C
Information Security Policy - if required to complete either SAQ D, A-EP, or C
Password Policy - if required to complete either - SAQ D, A, A-EP, or C
Physical Security Policy - if required to complete SAQ D
Responsible Disclosure Policy
Risk Assessment Policy - if required to complete either SAQ D, A-EP, or C
Software Development Life Cycle Policy - if required to complete SAQ D
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy - if required to complete either SAQ D, A-EP, or C
GDPR
Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity Plan
Code of Conduct
Data Classification Policy (Privacy Version)
Data Retention Policy (Privacy Version)
Data Protection Policy (Privacy Version)
Disaster Recovery Plan
Encryption Policy
Incident Response Plan (Privacy Version)
Information Security Policy
Password Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy (Privacy Version)
Vendor Management Policy
Vulnerability Management Policy
CCPA / CPRA
Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity Plan
Code of Conduct
Data Classification Policy (Privacy Version)
Data Retention Policy (Privacy Version)
Data Protection Policy (Privacy Version)
Disaster Recovery Plan
Encryption Policy
Incident Response Plan (Privacy Version)
Information Security Policy
Password Policy
Personal Data Management Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy (Privacy Version)
Vendor Management Policy
Vulnerability Management Policy
NIST SP 800-53
Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity Plan
Code of Conduct
Data Classification Policy
Data Retention Policy
Data Protection Policy
Disaster Recovery Plan
Encryption Policy
Incident Response Plan
Information Security Policy
Password Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy
Change Management Policy
Maintenance Management Policy
System and Information Integrity Policy
System and Services Acquisition Policy
System Security Planning Policy
NIST CSF
Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity Plan
Code of Conduct
Data Classification Policy
Data Retention Policy
Data Protection Policy
Disaster Recovery Plan
Encryption Policy
Incident Response Plan
Information Security Policy
Password Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy
Change Management Policy
Maintenance Management Policy
System and Information Integrity Policy
Cyber Essentials
Acceptable Use Policy
Asset Management Policy
Backup Policy Applies
Business Continuity Plan
Code of Conduct
Data Classification Policy
Data Retention Policy
Data Protection Policy
Disaster Recovery Plan
Encryption Policy
Incident Response Plan
Information Security Policy
Password Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy
Global Network Firewall Policy
CCM
Acceptable Use Policy
Asset Management Policy
Backup Policy Applies
Business Continuity Plan
Code of Conduct
Data Classification Policy
Data Retention Policy
Data Protection Policy
Disaster Recovery Plan
Encryption Policy
Incident Response Plan
Information Security Policy
Password Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy
Information Governance Policy
Shared Responsibility Policy