Background
Each framework has a unique set of requirements, standards, and policies that must be implemented to achieve and maintain compliance. Understanding which policies are essential for each framework increases efficiency, enables prioritization, provides clear implementation guidance, and helps organizations develop a systematic approach to streamline compliance efforts and properly allocate resources.
The Compliance Advisors team has written guidance articles to provide more context for many of the policies. Where available, the policy names link to related guidance articles.
Policies to Framework Summary Table
Policy | Description | Frameworks | Policy Control | Related DCF Controls |
Acceptable Use Policy | The Acceptable Use Policy specifies acceptable use of end-user computing devices and technology. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-37 | DCF-1, DCF-106, DCF-32, DCF-37, DCF-40, DCF-43, DCF-50, DCF-51, DCF-558, DCF-763, DCF-780 |
Asset Management Policy | The Asset Management Policy defines the implementation and documentation of asset management practices, plans, processes & procedures within the organization. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-182 | DCF-1, DCF-12, DCF-149, DCF-182, DCF-20, DCF-21, DCF-229, DCF-240, DCF-244, DCF-267, DCF-32, DCF-385, DCF-50, DCF-51, DCF-574, DCF-606, DCF-621, DCF-622, DCF-671, DCF-743, DCF-777, DCF-785, DCF-818, DCF-819, DCF-821, DCF-87, DCF-788, DCF-885, DCF-886, DCF-887, DCF-888, DCF-889, DCF-890, DCF-891, DCF-892, DCF-893, DCF-923, DCF-924, DCF-920 |
Backup Policy | The Backup Policy defines the procedures and schedule for information from business applications are copied to ensure data recoverability in the event of accidental data deletion, corrupted information or some kind of a system outage. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-169 | DCF-100, DCF-169, DCF-27, DCF-32, DCF-77, DCF-78, DCF-98, DCF-99, DCF-987 |
Business Continuity Plan | The Business Continuity Plan (BCP) outlines how the business will continue operations during an unplanned disruption in service. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-166 | DCF-166, DCF-167, DCF-26, DCF-32, DCF-602, DCF-603, DCF-684, DCF-833 |
Code of Conduct | The Code of Conduct defines behavior expected from employees towards their colleagues, supervisors, and the overall organization. | ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CPRA, FedRAMP, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-44 | DCF-105, DCF-32, DCF-40, DCF-44, DCF-627 |
Data Classification Policy | The Data Classification Policy defines the high level objectives and implementation instructions for the company's data classification scheme. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-102 | DCF-102, DCF-186, DCF-32, DCF-384, DCF-528, DCF-569, DCF-797, DCF-840 |
Data Retention Policy | The Data Retention Policy outlines when data no longer serves its purpose and should be deleted, or if the data retention period has been met. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-101, DCF-123 | DCF-101, DCF-103, DCF-107, DCF-109, DCF-123, DCF-253, DCF-32, DCF-390, DCF-391, DCF-782, DCF-797 |
Data Protection Policy | The Data Protection Policy outlines many of the procedures and technical controls in support of data protection. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-45 | DCF-1, DCF-107, DCF-108, DCF-109, DCF-123, DCF-149, DCF-150, DCF-174, DCF-177, DCF-180, DCF-186, DCF-189, DCF-197, DCF-289, DCF-3, DCF-32, DCF-381, DCF-385, DCF-386, DCF-388, DCF-45, DCF-52, DCF-527, DCF-528, DCF-536, DCF-539, DCF-54, DCF-55, DCF-569, DCF-58, DCF-590, DCF-592, DCF-594, DCF-595, DCF-596, DCF-597, DCF-60, DCF-61, DCF-647, DCF-775, DCF-78, DCF-80, DCF-81, DCF-93 |
Disaster Recovery Plan | The Disaster Recovery Plan (DRP) is the documented, structured approach to how the company can quickly resume work after an unplanned incident. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-25 | DCF-25, DCF-26, DCF-27, DCF-32, DCF-602, DCF-603 |
Encryption Policy | The Encryption Policy establishes the types of data, devices and media that need to be encrypted, when encryption must be used, and the minimum standards of the software and techniques used for encryption. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-181 | DCF-181, DCF-231, DCF-273, DCF-278, DCF-284, DCF-32, DCF-53, DCF-54, DCF-55, DCF-609, DCF-645, DCF-680, DCF-779, DCF-792, DCF-93, DCF-912, DCF-937, DCF-936 |
Incident Response Plan | The Incident Response Plan establishes procedures and controls to ensure detection of security vulnerabilities and incidents, as well as quick reaction and response to security breaches. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-159 | DCF-130, DCF-131, DCF-135, DCF-154, DCF-159, DCF-28, DCF-29, DCF-30, DCF-32, DCF-34, DCF-35, DCF-499, DCF-517, DCF-711, DCF-744, DCF-761, DCF-767, DCF-815, DCF-828, DCF-835, DCF-871, DCF-872, DCF-9, DCF-8 |
Information Security Policy | The Information Security Policy outlines the rules, policies and procedures designed to ensure all users and networks within the company meet minimum IT security and data protection security requirements. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-13 | DCF-1, DCF-105, DCF-13, DCF-160, DCF-170, DCF-171, DCF-173, DCF-174, DCF-179, DCF-190, DCF-191, DCF-32, DCF-33, DCF-34, DCF-36, DCF-39, DCF-42, DCF-46, DCF-47, DCF-503, DCF-516, DCF-528, DCF-570, DCF-681, DCF-685, DCF-742, DCF-745, DCF-746, DCF-826, DCF-827, DCF-837, DCF-9, DCF-914, DCF-915, DCF-916, DCF-921, DCF-922, DCF-8 |
Password Policy | The Password Policy describes the company's procedure to select and securely manage passwords. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-68 | DCF-32, DCF-339, DCF-340, DCF-346, DCF-350, DCF-352, DCF-356, DCF-49, DCF-58, DCF-605, DCF-608, DCF-67, DCF-68, DCF-820 |
Physical Security Policy | The Physical Security Policy establishes the rules governing controls, monitoring, and removal of physical access to company's facilities. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-94 | DCF-108, DCF-109, DCF-147, DCF-32, DCF-363, DCF-364, DCF-365, DCF-366, DCF-367, DCF-368, DCF-369, DCF-372, DCF-374, DCF-375, DCF-377, DCF-378, DCF-379, DCF-380, DCF-381, DCF-382, DCF-571, DCF-572, DCF-573, DCF-625, DCF-655, DCF-749, DCF-816, DCF-836, DCF-94, DCF-917 |
Risk Assessment Policy | The Risk Assessment Policy defines the methodology for the assessment and treatment of information security risks within the company, and to define the acceptable level of risk as set by the company's leadership. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-15 | DCF-15, DCF-157, DCF-16, DCF-17, DCF-185, DCF-32, DCF-626, DCF-660, DCF-798, DCF-807, DCF-808, DCF-842, DCF-843, DCF-844, DCF-845, DCF-846, DCF-869, DCF-870, DCF-873, DCF-874, DCF-911 |
Software Development Life Cycle Policy | This policy defines the high-level requirements for providing business program managers, business project managers, technical project managers, and other program and project stakeholders guidance to support the approval, planning, and life cycle development of the company's software systems. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-31 | DCF-104, DCF-155, DCF-156, DCF-172, DCF-304, DCF-31, DCF-312, DCF-32, DCF-4, DCF-5, DCF-6, DCF-637, DCF-646, DCF-670, DCF-7, DCF-712, DCF-76, DCF-781, DCF-926 |
System Access Control Policy | The System Access Control Policy defines procedures to onboard and offboard users to technical infrastructure in a manner that minimizes the risk of information loss or exposure. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-10 | DCF-10, DCF-11, DCF-2, DCF-32, DCF-326, DCF-329, DCF-330, DCF-335, DCF-336, DCF-345, DCF-355, DCF-43, DCF-48, DCF-49, DCF-52, DCF-557, DCF-562, DCF-579, DCF-580, DCF-582, DCF-584, DCF-585, DCF-586, DCF-59, DCF-607, DCF-611, DCF-62, DCF-638, DCF-639, DCF-648, DCF-67, DCF-68, DCF-688, DCF-69, DCF-70, DCF-71, DCF-714, DCF-716, DCF-717, DCF-72, DCF-725, DCF-726, DCF-73, DCF-743, DCF-75, DCF-776, DCF-783, DCF-793, DCF-795, DCF-822, DCF-838, DCF-867, DCF-92, DCF-787, DCF-895, DCF-894, DCF-910, DCF-747, DCF-955, DCF-956, DCF-957, DCF-958, DCF-959, DCF-960, DCF-961, DCF-962, DCF-963 |
Vendor Management Policy | The Vendor Management Policy defines the rules for relationships with the company's Information Technology (IT) vendors and partners. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-168 | DCF-127, DCF-128, DCF-129, DCF-132, DCF-133, DCF-134, DCF-168, DCF-32, DCF-507, DCF-537, DCF-56, DCF-57, DCF-632, DCF-762, DCF-847, DCF-849, DCF-868, DCF-905, DCF-919, DCF-943 |
Vulnerability Management Policy | The Vulnerability Management Policy outlines the company's procedures to uncover, classify, track, and remediate security vulnerabilities. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, Drata Essentials, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-183 | DCF-152, DCF-18, DCF-183, DCF-188, DCF-19, DCF-23, DCF-24, DCF-291, DCF-293, DCF-294, DCF-296, DCF-297, DCF-32, DCF-456, DCF-465, DCF-50, DCF-522, DCF-677, DCF-687, DCF-784, DCF-817, DCF-875, DCF-467, DCF-464, DCF-902, DCF-903, DCF-940, DCF-986 |
Business Associate Policy | The Business Associate Policy provides the process for Business Associate Agreements (BAA) and the contractual arrangements as required by the HIPAA Privacy and Security Rules. | HIPAA | DCF-195 | DCF-195 |
Breach Notification Policy | The Breach Notification Policy defines how breaches are reported and managed, as well as the thresholds for notification of various parties, per HIPAA requirements. | HIPAA | DCF-193 | DCF-193 |
Privacy, Use, and Disclosure Policy | The Privacy, Use, and Disclosure Policy covers the HIPAA Privacy Rule and ensures protected health information (PHI) is only released with proper documentation to authorized parties. | HIPAA | DCF-192 | DCF-192, DCF-196 |
Information Security Management System (ISMS) Plan 2022 | NOTE: The ISMS Plan is NOT required to be accepted by employees. | ISO/IEC 27001:2022, ISO/IEC 27001:2013 | DCF-184 | DCF-1, DCF-113, DCF-114, DCF-129, DCF-13, DCF-142, DCF-151, DCF-153, DCF-161, DCF-162, DCF-163, DCF-164, DCF-165, DCF-170, DCF-172, DCF-175, DCF-176, DCF-178, DCF-179, DCF-184, DCF-34, DCF-35, DCF-42, DCF-535, DCF-566, DCF-568, DCF-789, DCF-80, DCF-81, DCF-82, DCF-83, DCF-84, DCF-89 |
Change Management Policy | The Change Management Policy outlines the plans and procedures in place for managing changes across the organization, including infrastructure, systems, and applications. | FedRAMP, ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-567, DCF-305 | DCF-104, DCF-155, DCF-156, DCF-187, DCF-304, DCF-305, DCF-4, DCF-5, DCF-567, DCF-598, DCF-6, DCF-601, DCF-7, DCF-76, DCF-814, DCF-925, DCF-935, DCF-939, DCF-941, DCF-988, DCF-964, DCF-965, DCF-966, DCF-967, DCF-968, DCF-969, DCF-970, DCF-973, DCF-974, DCF-975, DCF-976, DCF-978, DCF-979, DCF-980, DCF-981, DCF-982, DCF-983, DCF-984, DCF-977 |
Maintenance Management Policy | The Maintenance Management Policy ensures IT resources are maintained in compliance with security policies, standards, and procedures. | FedRAMP, CMMC 2.0, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST CSF 2.0, DORA, CIS 8.1, HITRUST | DCF-575 | DCF-575, DCF-614, DCF-615, DCF-616, DCF-617, DCF-618, DCF-619, DCF-799 |
System and Information Integrity Policy | The System Integrity Plan ensures the implementation of security best practices with regard to system configuration, security, and error handling | FedRAMP, CMMC 2.0, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST CSF 2.0, DORA, CIS 8.1, HITRUST, Essential Eight | DCF-576 | DCF-576, DCF-644, DCF-649, DCF-650, DCF-651, DCF-652, DCF-653, DCF-654, DCF-655, DCF-656, DCF-672, DCF-687, DCF-823, DCF-839 |
System Security Planning Policy | The System Security Planning Policy outlines how an organization establishes its resources and information systems with effective security controls and control enhancements that reflect applicable rules, regulations, guidelines and other obligations. | FedRAMP, CMMC 2.0, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, CCM | DCF-577 | DCF-577, DCF-581, DCF-640, DCF-649, DCF-790 |
System and Services Acquisition Policy | The System and Service Acquisition Policy ensures that resources and information systems are acquired with security requirements to meet the information systems mission and business objectives. | FedRAMP, CMMC 2.0, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, DORA | DCF-578 | DCF-578, DCF-792 |
Personal Data Management Policy | The Personal Data Management Policy outlines policies and procedures to manage personal data across the organization in compliance with privacy laws and regulations. | CCPA, CPRA, GDPR, HITRUST | DCF-545 | DCF-117, DCF-545, DCF-551, DCF-554, DCF-555, DCF-950 |
Information Governance Policy | The Information Governance Policy outlines policies and procedures to manage information governance across the organization in compliance with security policies, standards, and procedures. | DORA, CCM, HITRUST | DCF-668 | DCF-668, DCF-927 |
Shared Responsibility Policy | The Shared Responsibility Policy outlines policies and procedures to delineate and manage shared security responsibilities between Cloud Service Providers (CSP) and Cloud Service Customers (CSC). | ISO/IEC 27018:2019, ISO/IEC 27017:2015, CCM | DCF-669 | DCF-666, DCF-669 |
Network Security Policy | The Network Security Policy outlines requirements for deployment, management and operation of network security controls at the company. | ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, FedRAMP, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-678 | DCF-201, DCF-204, DCF-206, DCF-21, DCF-210, DCF-212, DCF-215, DCF-218, DCF-22, DCF-32, DCF-477, DCF-678, DCF-73, DCF-748, DCF-75, DCF-85, DCF-88, DCF-91, DCF-904, DCF-901, DCF-913, DCF-449, DCF-447, DCF-918, DCF-930, DCF-971, DCF-972 |
Public Cloud PII Protection Policy | The Public Cloud PII Protection Policy outlines the safeguards in place for the personally identifiable information of the company's customers that may be processed in the company's public cloud service, to ensure that the company complies with the legal, statutory, regulatory, and contractual requirements necessary to process personally identifiable information, and to provide transparency to their customers. | NIST AI RMF, ISO/IEC 27018:2019, HITRUST | DCF-697 | DCF-121, DCF-125, DCF-128, DCF-283, DCF-383, DCF-386, DCF-530, DCF-691, DCF-692, DCF-693, DCF-694, DCF-695, DCF-696, DCF-697 |
AI Governance Policy | The AI Governance Policy outlines the company's rules and requirements for responsible AI practices. | NIST AI RMF, ISO/IEC 42001:2023 | DCF-800 | DCF-800, DCF-802, DCF-803, DCF-804, DCF-805, DCF-809, DCF-810, DCF-878, DCF-170.AI |
AI Risk Management Policy | The AI Risk Management Policy outlines the scope and methodology or AI risk assessments, evaluation, and mitigation. | NIST AI RMF, ISO/IEC 42001:2023 | DCF-801 | DCF-801, DCF-802, DCF-804, DCF-813, DCF-877 |
AI System Development and Evaluation Policy | The AI Development and Evaluation Policy outlines the company's practices, roles, and responsibilities in the safe design, development, deployment, use, and evaluation of AI systems to minimize negative impacts. | NIST AI RMF, ISO/IEC 42001:2023 | DCF-806 | DCF-805, DCF-806, DCF-811, DCF-812, DCF-879 |
PCI DSS Compliance Policy | The PCI DSS Compliance Policy outlines the safeguards and activities that the company will implement to achieve compliance with Payment Card Industry Data Security Standard (PCI DSS). | PCI DSS v4.0, PCI DSS v4.0.1 | DCF-740 | DCF-204, DCF-206, DCF-215, DCF-216, DCF-218, DCF-220, DCF-223, DCF-225, DCF-231, DCF-233, DCF-239, DCF-240, DCF-241, DCF-244, DCF-249, DCF-255, DCF-257, DCF-258, DCF-259, DCF-260, DCF-261, DCF-262, DCF-263, DCF-264, DCF-265, DCF-268, DCF-269, DCF-270, DCF-271, DCF-272, DCF-273, DCF-276, DCF-278, DCF-280, DCF-281, DCF-282, DCF-284, DCF-285, DCF-288, DCF-289, DCF-292, DCF-297, DCF-310, DCF-312, DCF-32, DCF-324, DCF-343, DCF-348, DCF-349, DCF-354, DCF-358, DCF-360, DCF-366, DCF-368, DCF-388, DCF-397, DCF-404, DCF-406, DCF-407, DCF-408, DCF-409, DCF-410, DCF-411, DCF-412, DCF-413, DCF-414, DCF-421, DCF-422, DCF-423, DCF-424, DCF-429, DCF-430, DCF-431, DCF-434, DCF-435, DCF-437, DCF-438, DCF-441, DCF-448, DCF-452, DCF-454, DCF-455, DCF-456, DCF-458, DCF-465, DCF-467, DCF-469, DCF-470, DCF-473, DCF-479, DCF-482, DCF-493, DCF-496, DCF-499, DCF-504, DCF-509, DCF-510, DCF-516, DCF-517, DCF-519, DCF-521, DCF-523, DCF-524, DCF-525, DCF-681, DCF-682, DCF-683, DCF-685, DCF-686, DCF-689, DCF-690, DCF-698, DCF-699, DCF-700, DCF-701, DCF-702, DCF-703, DCF-704, DCF-705, DCF-706, DCF-707, DCF-708, DCF-709, DCF-710, DCF-711, DCF-713, DCF-715, DCF-718, DCF-719, DCF-720, DCF-721, DCF-722, DCF-723, DCF-724, DCF-727, DCF-728, DCF-729, DCF-730, DCF-731, DCF-732, DCF-733, DCF-734, DCF-735, DCF-736, DCF-737, DCF-738, DCF-739, DCF-740, DCF-464, DCF-461, DCF-463 |
Logging and Monitoring Policy | The Logging and Monitoring policy outlines requirements for audit logging and monitoring of system activity. Frequent monitoring and maintenance of audit trails are required to effectively assess information system controls, operations, and general security. | ISO/IEC 27001:2022, CCPA, COBIT 2019, Cyber Essentials, FFIEC, CMMC 2.0, CPRA, FedRAMP, GDPR, HIPAA, ISO/IEC 27001:2013, ISO/IEC 27701:2019, Microsoft SSPA, NIS 2, NIST 800-53r5, NIST 800-171r2, NIST 800-171r3, NIST AI RMF, NIST CSF 1.1, NIST CSF 2.0, PCI DSS v3.2.1, PCI DSS v4.0, PCI DSS v4.0.1, SOC 2, SOX ITGC, ISO/IEC 42001:2023, DORA, CCM, CIS 8.1, HITRUST, Cyber Essentials v3.2, FedRAMP 20x, Essential Eight | DCF-741 | DCF-32, DCF-406, DCF-407, DCF-409, DCF-410, DCF-411, DCF-412, DCF-413, DCF-421, DCF-422, DCF-425, DCF-426, DCF-429, DCF-430, DCF-431, DCF-434, DCF-444, DCF-445, DCF-478, DCF-698, DCF-72, DCF-741, DCF-79, DCF-824, DCF-825, DCF-829, DCF-86, DCF-87, DCF-88, DCF-90, DCF-91, DCF-95, DCF-896, DCF-897, DCF-898, DCF-899, DCF-900, DCF-938, DCF-985 |
Internal Privacy Policy | The Internal Privacy Policy outlines the company's practices regarding personal data that personnel may access, store, transfer, or otherwise process as part of their role at the company. | ISO/IEC 27701:2019, HITRUST | DCF-794 | DCF-112, DCF-115, DCF-120, DCF-126, DCF-136, DCF-140, DCF-141, DCF-529, DCF-531, DCF-533, DCF-534, DCF-538, DCF-540, DCF-541, DCF-543, DCF-544, DCF-549, DCF-746, DCF-750, DCF-751, DCF-752, DCF-753, DCF-754, DCF-755, DCF-756, DCF-758, DCF-759, DCF-764, DCF-765, DCF-766, DCF-767, DCF-768, DCF-769, DCF-770, DCF-771, DCF-772, DCF-773, DCF-794 |
Information Security Management System (ISMS) and Privacy Information Management System (PIMS) Plan |
| ISO/IEC 27701:2019 | DCF-184 | DCF-13, DCF-161, DCF-162, DCF-163, DCF-164, DCF-165, DCF-170, DCF-175, DCF-176, DCF-178, DCF-179, DCF-184, DCF-42, DCF-566, DCF-789 |
Artificial Intelligence Management System (AIMS) Plan | This Artificial Intelligence Management System (AIMS) Plan aims to define the principles, requirements, and rules for the establishment, implementation and operation of the company's AIMS. | ISO/IEC 42001:2023 | DCF-800, DCF-801, DCF-802, DCF-803, DCF-804, DCF-805, DCF-806, DCF-809, DCF-810, DCF-811, DCF-812, DCF-813, DCF-877, DCF-878, DCF-879, DCF-161.AI, DCF-162.AI, DCF-164.AI, DCF-170.AI, DCF-176.AI, DCF-178.AI, DCF-184.AI, DCF-566.AI |