Skip to main content

Policies to Framework Summary

Updated over a month ago

Background

Each framework has a unique set of requirements, standards, and policies that must be implemented to achieve and maintain compliance. Understanding which policies are essential for each framework increases efficiency, enables prioritization, provides clear implementation guidance, and helps organizations develop a systematic approach to streamline compliance efforts and properly allocate resources.

The Compliance Advisors team has written guidance articles to provide more context for many of the policies. Where available, the policy names link to related guidance articles.

Policies to Framework Summary Table

Policy

Description

Frameworks

Policy Control

Related DCF Controls

Acceptable Use Policy

The Acceptable Use Policy specifies acceptable use of end-user computing devices and technology.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-37

DCF-1, DCF-106, DCF-32, DCF-37, DCF-40, DCF-43, DCF-50, DCF-51, DCF-558, DCF-763, DCF-780

Asset Management Policy

The Asset Management Policy defines the implementation and documentation of asset management practices, plans, processes & procedures within the organization.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-182

DCF-1, DCF-12, DCF-149, DCF-182, DCF-20, DCF-21, DCF-229, DCF-240, DCF-244, DCF-267, DCF-32, DCF-385, DCF-50, DCF-51, DCF-574, DCF-606, DCF-621, DCF-622, DCF-671, DCF-743, DCF-777, DCF-785, DCF-818, DCF-819, DCF-821, DCF-87, DCF-788, DCF-885, DCF-886, DCF-887, DCF-888, DCF-889, DCF-890, DCF-891, DCF-892, DCF-893, DCF-923, DCF-924, DCF-920

Backup Policy

The Backup Policy defines the procedures and schedule for information from business applications are copied to ensure data recoverability in the event of accidental data deletion, corrupted information or some kind of a system outage.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-169

DCF-100, DCF-169, DCF-27, DCF-32, DCF-77, DCF-78, DCF-98, DCF-99, DCF-987

Business Continuity Plan

The Business Continuity Plan (BCP) outlines how the business will continue operations during an unplanned disruption in service.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-166

DCF-166, DCF-167, DCF-26, DCF-32, DCF-602, DCF-603, DCF-684, DCF-833

Code of Conduct

The Code of Conduct defines behavior expected from employees towards their colleagues, supervisors, and the overall organization.

ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CPRA, FedRAMP, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-44

DCF-105, DCF-32, DCF-40, DCF-44, DCF-627

Data Classification Policy

The Data Classification Policy defines the high level objectives and implementation instructions for the company's data classification scheme.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-102

DCF-102, DCF-186, DCF-32, DCF-384, DCF-528, DCF-569, DCF-797, DCF-840

Data Retention Policy

The Data Retention Policy outlines when data no longer serves its purpose and should be deleted, or if the data retention period has been met.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-101, DCF-123

DCF-101, DCF-103, DCF-107, DCF-109, DCF-123, DCF-253, DCF-32, DCF-390, DCF-391, DCF-782, DCF-797

Data Protection Policy

The Data Protection Policy outlines many of the procedures and technical controls in support of data protection.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-45

DCF-1, DCF-107, DCF-108, DCF-109, DCF-123, DCF-149, DCF-150, DCF-174, DCF-177, DCF-180, DCF-186, DCF-189, DCF-197, DCF-289, DCF-3, DCF-32, DCF-381, DCF-385, DCF-386, DCF-388, DCF-45, DCF-52, DCF-527, DCF-528, DCF-536, DCF-539, DCF-54, DCF-55, DCF-569, DCF-58, DCF-590, DCF-592, DCF-594, DCF-595, DCF-596, DCF-597, DCF-60, DCF-61, DCF-647, DCF-775, DCF-78, DCF-80, DCF-81, DCF-93

Disaster Recovery Plan

The Disaster Recovery Plan (DRP) is the documented, structured approach to how the company can quickly resume work after an unplanned incident.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-25

DCF-25, DCF-26, DCF-27, DCF-32, DCF-602, DCF-603

Encryption Policy

The Encryption Policy establishes the types of data, devices and media that need to be encrypted, when encryption must be used, and the minimum standards of the software and techniques used for encryption.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-181

DCF-181, DCF-231, DCF-273, DCF-278, DCF-284, DCF-32, DCF-53, DCF-54, DCF-55, DCF-609, DCF-645, DCF-680, DCF-779, DCF-792, DCF-93, DCF-912, DCF-937, DCF-936

Incident Response Plan

The Incident Response Plan establishes procedures and controls to ensure detection of security vulnerabilities and incidents, as well as quick reaction and response to security breaches.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-159

DCF-130, DCF-131, DCF-135, DCF-154, DCF-159, DCF-28, DCF-29, DCF-30, DCF-32, DCF-34, DCF-35, DCF-499, DCF-517, DCF-711, DCF-744, DCF-761, DCF-767, DCF-815, DCF-828, DCF-835, DCF-871, DCF-872, DCF-9, DCF-8

Information Security Policy

The Information Security Policy outlines the rules, policies and procedures designed to ensure all users and networks within the company meet minimum IT security and data protection security requirements.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-13

DCF-1, DCF-105, DCF-13, DCF-160, DCF-170, DCF-171, DCF-173, DCF-174, DCF-179, DCF-190, DCF-191, DCF-32, DCF-33, DCF-34, DCF-36, DCF-39, DCF-42, DCF-46, DCF-47, DCF-503, DCF-516, DCF-528, DCF-570, DCF-681, DCF-685, DCF-742, DCF-745, DCF-746, DCF-826, DCF-827, DCF-837, DCF-9, DCF-914, DCF-915, DCF-916, DCF-921, DCF-922, DCF-8

Password Policy

The Password Policy describes the company's procedure to select and securely manage passwords.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-68

DCF-32, DCF-339, DCF-340, DCF-346, DCF-350, DCF-352, DCF-356, DCF-49, DCF-58, DCF-605, DCF-608, DCF-67, DCF-68, DCF-820

Physical Security Policy

The Physical Security Policy establishes the rules governing controls, monitoring, and removal of physical access to company's facilities.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-94

DCF-108, DCF-109, DCF-147, DCF-32, DCF-363, DCF-364, DCF-365, DCF-366, DCF-367, DCF-368, DCF-369, DCF-372, DCF-374, DCF-375, DCF-377, DCF-378, DCF-379, DCF-380, DCF-381, DCF-382, DCF-571, DCF-572, DCF-573, DCF-625, DCF-655, DCF-749, DCF-816, DCF-836, DCF-94, DCF-917

Risk Assessment Policy

The Risk Assessment Policy defines the methodology for the assessment and treatment of information security risks within the company, and to define the acceptable level of risk as set by the company's leadership.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-15

DCF-15, DCF-157, DCF-16, DCF-17, DCF-185, DCF-32, DCF-626, DCF-660, DCF-798, DCF-807, DCF-808, DCF-842, DCF-843, DCF-844, DCF-845, DCF-846, DCF-869, DCF-870, DCF-873, DCF-874, DCF-911

Software Development Life Cycle Policy

This policy defines the high-level requirements for providing business program managers, business project managers, technical project managers, and other program and project stakeholders guidance to support the approval, planning, and life cycle development of the company's software systems.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-31

DCF-104, DCF-155, DCF-156, DCF-172, DCF-304, DCF-31, DCF-312, DCF-32, DCF-4, DCF-5, DCF-6, DCF-637, DCF-646, DCF-670, DCF-7, DCF-712, DCF-76, DCF-781, DCF-926

System Access Control Policy

The System Access Control Policy defines procedures to onboard and offboard users to technical infrastructure in a manner that minimizes the risk of information loss or exposure.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-10

DCF-10, DCF-11, DCF-2, DCF-32, DCF-326, DCF-329, DCF-330, DCF-335, DCF-336, DCF-345, DCF-355, DCF-43, DCF-48, DCF-49, DCF-52, DCF-557, DCF-562, DCF-579, DCF-580, DCF-582, DCF-584, DCF-585, DCF-586, DCF-59, DCF-607, DCF-611, DCF-62, DCF-638, DCF-639, DCF-648, DCF-67, DCF-68, DCF-688, DCF-69, DCF-70, DCF-71, DCF-714, DCF-716, DCF-717, DCF-72, DCF-725, DCF-726, DCF-73, DCF-743, DCF-75, DCF-776, DCF-783, DCF-793, DCF-795, DCF-822, DCF-838, DCF-867, DCF-92, DCF-787, DCF-895, DCF-894, DCF-910, DCF-747, DCF-955, DCF-956, DCF-957, DCF-958, DCF-959, DCF-960, DCF-961, DCF-962, DCF-963

Vendor Management Policy

The Vendor Management Policy defines the rules for relationships with the company's Information Technology (IT) vendors and partners.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-168

DCF-127, DCF-128, DCF-129, DCF-132, DCF-133, DCF-134, DCF-168, DCF-32, DCF-507, DCF-537, DCF-56, DCF-57, DCF-632, DCF-762, DCF-847, DCF-849, DCF-868, DCF-905, DCF-919, DCF-943

Vulnerability Management Policy

The Vulnerability Management Policy outlines the company's procedures to uncover, classify, track, and remediate security vulnerabilities.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-183

DCF-152, DCF-18, DCF-183, DCF-188, DCF-19, DCF-23, DCF-24, DCF-291, DCF-293, DCF-294, DCF-296, DCF-297, DCF-32, DCF-456, DCF-465, DCF-50, DCF-522, DCF-677, DCF-687, DCF-784, DCF-817, DCF-875, DCF-467, DCF-464, DCF-902, DCF-903, DCF-940, DCF-986

Business Associate Policy

The Business Associate Policy provides the process for Business Associate Agreements (BAA) and the contractual arrangements as required by the HIPAA Privacy and Security Rules.

HIPAA

DCF-195

DCF-195

Breach Notification Policy

The Breach Notification Policy defines how breaches are reported and managed, as well as the thresholds for notification of various parties, per HIPAA requirements.

HIPAA

DCF-193

DCF-193

Privacy, Use, and Disclosure Policy

The Privacy, Use, and Disclosure Policy covers the HIPAA Privacy Rule and ensures protected health information (PHI) is only released with proper documentation to authorized parties.

HIPAA

DCF-192

DCF-192, DCF-196

Information Security Management System (ISMS) Plan 2022

NOTE: The ISMS Plan is NOT required to be accepted by employees.
The ISMS Plan covers all requirements necessary for the establishment of the company's Information Security Management System.

ISO/IEC 27001:2022, ISO/IEC 27001:2013

DCF-184

DCF-1, DCF-113, DCF-114, DCF-129, DCF-13, DCF-142, DCF-151, DCF-153, DCF-161, DCF-162, DCF-163, DCF-164, DCF-165, DCF-170, DCF-172, DCF-175, DCF-176, DCF-178, DCF-179, DCF-184, DCF-34, DCF-35, DCF-42, DCF-535, DCF-566, DCF-568, DCF-789, DCF-80, DCF-81, DCF-82, DCF-83, DCF-84, DCF-89

Change Management Policy

The Change Management Policy outlines the plans and procedures in place for managing changes across the organization, including infrastructure, systems, and applications.

FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-567, DCF-305

DCF-104, DCF-155, DCF-156, DCF-187, DCF-304, DCF-305, DCF-4, DCF-5, DCF-567, DCF-598, DCF-6, DCF-601, DCF-7, DCF-76, DCF-814, DCF-925, DCF-935, DCF-939, DCF-941, DCF-988, DCF-964, DCF-965, DCF-966, DCF-967, DCF-968, DCF-969, DCF-970, DCF-973, DCF-974, DCF-975, DCF-976, DCF-978, DCF-979, DCF-980, DCF-981, DCF-982, DCF-983, DCF-984, DCF-977

Maintenance Management Policy

The Maintenance Management Policy ensures IT resources are maintained in compliance with security policies, standards, and procedures.

FedRAMP, CMMC 2.0, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST CSF 2.0, DORA, CIS 8.1, HITRUST

DCF-575

DCF-575, DCF-614, DCF-615, DCF-616, DCF-617, DCF-618, DCF-619, DCF-799

System and Information Integrity Policy

The System Integrity Plan ensures the implementation of security best practices with regard to system configuration, security, and error handling

FedRAMP, CMMC 2.0, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST CSF 2.0, DORA, CIS 8.1, HITRUST, Essential Eight

DCF-576

DCF-576, DCF-644, DCF-649, DCF-650, DCF-651, DCF-652, DCF-653, DCF-654, DCF-655, DCF-656, DCF-672, DCF-687, DCF-823, DCF-839

System Security Planning Policy

The System Security Planning Policy outlines how an organization establishes its resources and information systems with effective security controls and control enhancements that reflect applicable rules, regulations, guidelines and other obligations.

FedRAMP, CMMC 2.0, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, CCM

DCF-577

DCF-577, DCF-581, DCF-640, DCF-649, DCF-790

System and Services Acquisition Policy

The System and Service Acquisition Policy ensures that resources and information systems are acquired with security requirements to meet the information systems mission and business objectives.

FedRAMP, CMMC 2.0, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, DORA

DCF-578

DCF-578, DCF-792

Personal Data Management Policy

The Personal Data Management Policy outlines policies and procedures to manage personal data across the organization in compliance with privacy laws and regulations.

CCPA, CPRA, GDPR, HITRUST

DCF-545

DCF-117, DCF-545, DCF-551, DCF-554, DCF-555, DCF-950

Information Governance Policy

The Information Governance Policy outlines policies and procedures to manage information governance across the organization in compliance with security policies, standards, and procedures.

DORA, CCM, HITRUST

DCF-668

DCF-668, DCF-927

Shared Responsibility Policy

The Shared Responsibility Policy outlines policies and procedures to delineate and manage shared security responsibilities between Cloud Service Providers (CSP) and Cloud Service Customers (CSC).

ISO/IEC 27018:2019, ISO/IEC 27017:2015, CCM

DCF-669

DCF-666, DCF-669

Network Security Policy

The Network Security Policy outlines requirements for deployment, management and operation of network security controls at the company.

ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, FedRAMP, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-678

DCF-201, DCF-204, DCF-206, DCF-21, DCF-210, DCF-212, DCF-215, DCF-218, DCF-22, DCF-32, DCF-477, DCF-678, DCF-73, DCF-748, DCF-75, DCF-85, DCF-88, DCF-91, DCF-904, DCF-901, DCF-913, DCF-449, DCF-447, DCF-918, DCF-930, DCF-971, DCF-972

Public Cloud PII Protection Policy

The Public Cloud PII Protection Policy outlines the safeguards in place for the personally identifiable information of the company's customers that may be processed in the company's public cloud service, to ensure that the company complies with the legal, statutory, regulatory, and contractual requirements necessary to process personally identifiable information, and to provide transparency to their customers.

NIST AI RMF, ISO/IEC 27018:2019, HITRUST

DCF-697

DCF-121, DCF-125, DCF-128, DCF-283, DCF-383, DCF-386, DCF-530, DCF-691, DCF-692, DCF-693, DCF-694, DCF-695, DCF-696, DCF-697

AI Governance Policy

The AI Governance Policy outlines the company's rules and requirements for responsible AI practices.

NIST AI RMF, ISO/IEC 42001:2023

DCF-800

DCF-800, DCF-802, DCF-803, DCF-804, DCF-805, DCF-809, DCF-810, DCF-878, DCF-170.AI

AI Risk Management Policy

The AI Risk Management Policy outlines the scope and methodology or AI risk assessments, evaluation, and mitigation.

NIST AI RMF, ISO/IEC 42001:2023

DCF-801

DCF-801, DCF-802, DCF-804, DCF-813, DCF-877

AI System Development and Evaluation Policy

The AI Development and Evaluation Policy outlines the company's practices, roles, and responsibilities in the safe design, development, deployment, use, and evaluation of AI systems to minimize negative impacts.

NIST AI RMF, ISO/IEC 42001:2023

DCF-806

DCF-805, DCF-806, DCF-811, DCF-812, DCF-879

PCI DSS Compliance Policy

The PCI DSS Compliance Policy outlines the safeguards and activities that the company will implement to achieve compliance with Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS v4.0, PCI DSS v4.0.1

DCF-740

DCF-204, DCF-206, DCF-215, DCF-216, DCF-218, DCF-220, DCF-223, DCF-225, DCF-231, DCF-233, DCF-239, DCF-240, DCF-241, DCF-244, DCF-249, DCF-255, DCF-257, DCF-258, DCF-259, DCF-260, DCF-261, DCF-262, DCF-263, DCF-264, DCF-265, DCF-268, DCF-269, DCF-270, DCF-271, DCF-272, DCF-273, DCF-276, DCF-278, DCF-280, DCF-281, DCF-282, DCF-284, DCF-285, DCF-288, DCF-289, DCF-292, DCF-297, DCF-310, DCF-312, DCF-32, DCF-324, DCF-343, DCF-348, DCF-349, DCF-354, DCF-358, DCF-360, DCF-366, DCF-368, DCF-388, DCF-397, DCF-404, DCF-406, DCF-407, DCF-408, DCF-409, DCF-410, DCF-411, DCF-412, DCF-413, DCF-414, DCF-421, DCF-422, DCF-423, DCF-424, DCF-429, DCF-430, DCF-431, DCF-434, DCF-435, DCF-437, DCF-438, DCF-441, DCF-448, DCF-452, DCF-454, DCF-455, DCF-456, DCF-458, DCF-465, DCF-467, DCF-469, DCF-470, DCF-473, DCF-479, DCF-482, DCF-493, DCF-496, DCF-499, DCF-504, DCF-509, DCF-510, DCF-516, DCF-517, DCF-519, DCF-521, DCF-523, DCF-524, DCF-525, DCF-681, DCF-682, DCF-683, DCF-685, DCF-686, DCF-689, DCF-690, DCF-698, DCF-699, DCF-700, DCF-701, DCF-702, DCF-703, DCF-704, DCF-705, DCF-706, DCF-707, DCF-708, DCF-709, DCF-710, DCF-711, DCF-713, DCF-715, DCF-718, DCF-719, DCF-720, DCF-721, DCF-722, DCF-723, DCF-724, DCF-727, DCF-728, DCF-729, DCF-730, DCF-731, DCF-732, DCF-733, DCF-734, DCF-735, DCF-736, DCF-737, DCF-738, DCF-739, DCF-740, DCF-464, DCF-461, DCF-463

Logging and Monitoring Policy

The Logging and Monitoring policy outlines requirements for audit logging and monitoring of system activity. Frequent monitoring and maintenance of audit trails are required to effectively assess information system controls, operations, and general security.

ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, FedRAMP, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight

DCF-741

DCF-32, DCF-406, DCF-407, DCF-409, DCF-410, DCF-411, DCF-412, DCF-413, DCF-421, DCF-422, DCF-425, DCF-426, DCF-429, DCF-430, DCF-431, DCF-434, DCF-444, DCF-445, DCF-478, DCF-698, DCF-72, DCF-741, DCF-79, DCF-824, DCF-825, DCF-829, DCF-86, DCF-87, DCF-88, DCF-90, DCF-91, DCF-95, DCF-896, DCF-897, DCF-898, DCF-899, DCF-900, DCF-938, DCF-985

Internal Privacy Policy

The Internal Privacy Policy outlines the company's practices regarding personal data that personnel may access, store, transfer, or otherwise process as part of their role at the company.

ISO/IEC 27701:2019, HITRUST

DCF-794

DCF-112, DCF-115, DCF-120, DCF-126, DCF-136, DCF-140, DCF-141, DCF-529, DCF-531, DCF-533, DCF-534, DCF-538, DCF-540, DCF-541, DCF-543, DCF-544, DCF-549, DCF-746, DCF-750, DCF-751, DCF-752, DCF-753, DCF-754, DCF-755, DCF-756, DCF-758, DCF-759, DCF-764, DCF-765, DCF-766, DCF-767, DCF-768, DCF-769, DCF-770, DCF-771, DCF-772, DCF-773, DCF-794

Information Security Management System (ISMS) and Privacy Information Management System (PIMS) Plan

ISO/IEC 27701:2019

DCF-184

DCF-13, DCF-161, DCF-162, DCF-163, DCF-164, DCF-165, DCF-170, DCF-175, DCF-176, DCF-178, DCF-179, DCF-184, DCF-42, DCF-566, DCF-789

Artificial Intelligence Management System (AIMS) Plan

This Artificial Intelligence Management System (AIMS) Plan aims to define the principles, requirements, and rules for the establishment, implementation and operation of the company's AIMS.

ISO/IEC 42001:2023

DCF-184.AI

DCF-800, DCF-801, DCF-802, DCF-803, DCF-804, DCF-805, DCF-806, DCF-809, DCF-810, DCF-811, DCF-812, DCF-813, DCF-877, DCF-878, DCF-879, DCF-161.AI, DCF-162.AI, DCF-164.AI, DCF-170.AI, DCF-176.AI, DCF-178.AI, DCF-184.AI, DCF-566.AI

Related Articles
Frameworks
Control Mapping Updates for Policies - 4/13/2023
Example Evidence for Not Monitored Controls Linked to Policies
October 2024 Release: AWS Drata test
February 2025 Release: AWS and Azure Drata Tests
Did this answer your question?