Skip to content

Policy Framework & Templates

A practical guide to developing, implementing, and maintaining an information security policy framework.

Policy Hierarchy

Understanding the distinction between policies, standards, procedures, and guidelines is essential for effective governance.

flowchart TD
    A[Policy] --> B[Standard]
    B --> C[Procedure]
    C --> D[Guideline]
    A -.Informs.-> C
    B -.Informs.-> D

Policy

What: High-level statements of management intent and direction.

Characteristics: - Mandatory ("must", "shall") - Strategic, not tactical - Board or executive approval - Infrequent changes (reviewed annually/bi-annually)

Example: "The organisation must protect all personal data in accordance with UK GDPR."

Standard

What: Mandatory specifications and requirements to implement policies.

Characteristics: - Mandatory ("must", "shall") - Tactical and specific - Approved by security/IT leadership - Updated as technology evolves

Example: "All laptops must use AES-256 encryption for full disk encryption."

Procedure

What: Step-by-step instructions for completing specific tasks.

Characteristics: - Mandatory when applicable - Operational and detailed - Owned by process owners - Updated frequently as processes change

Example: "To request access to the HR system: 1. Submit ServiceNow ticket, 2. Obtain manager approval..."

Guideline

What: Recommended best practices and advice (not mandatory).

Characteristics: - Optional ("should", "consider") - Contextual advice - Owned by subject matter experts - Flexible implementation

Example: "Users should use a password manager to generate and store unique passwords."

Essential Policies for SMBs

Core Security Policies (Minimum Viable Set)

For small to medium-sized businesses, start with these essential policies:

Policy Purpose Key Content
Information Security Policy Overarching security commitment Scope, roles, responsibilities, risk management approach
Acceptable Use Policy (AUP) Define acceptable use of IT resources Permitted/prohibited activities, personal use, monitoring
Access Control Policy How access is granted and managed Authentication requirements, access request process, reviews
Data Protection & Privacy Policy Compliance with GDPR/data protection law Data handling, retention, subject rights, breach response
Incident Response Policy How security incidents are managed Incident definition, reporting, response team, communication
Business Continuity Policy Organisational resilience commitment BC/DR objectives, testing requirements, responsibilities

Total: 6 core policies

Essential Policies for Enterprises

Comprehensive Security Policy Framework

Larger organisations or those in regulated industries should expand to include:

Governance & Risk

  • Information Security Policy (master policy)
  • Risk Management Policy
  • Compliance Management Policy
  • Third-Party Risk Management Policy

Access & Identity

  • Access Control Policy
  • Password Policy (or Authentication Standard)
  • Privileged Access Management Policy
  • Remote Access Policy
  • Acceptable Use Policy (AUP)

Data & Privacy

  • Data Protection & Privacy Policy
  • Data Classification & Handling Policy
  • Data Retention & Disposal Policy
  • Encryption Policy
  • Removable Media Policy

Operations

  • Incident Response Policy
  • Change Management Policy
  • Vulnerability Management Policy
  • Patch Management Policy
  • Backup & Recovery Policy
  • Business Continuity Policy
  • Asset Management Policy

Development & Technology

  • Secure Development Policy
  • Cloud Security Policy
  • Mobile Device Management Policy (BYOD/COPE)
  • Email & Communications Policy
  • Network Security Policy

Physical & Personnel

  • Physical Security Policy
  • Personnel Security Policy (background checks, training)
  • Clean Desk/Clear Screen Policy

Monitoring & Compliance

  • Security Monitoring & Logging Policy
  • Audit & Compliance Policy

Total: 25-30 policies (depending on industry and risk profile)

Policy Development Process

flowchart TD
    A[1. Identify Need] --> B[2. Research & Draft]
    B --> C[3. Stakeholder Review]
    C --> D[4. Approval]
    D --> E[5. Publication]
    E --> F[6. Training & Awareness]
    F --> G[7. Enforcement]
    G --> H[8. Review & Update]
    H -.Annual Cycle.-> A

1. Identify Need

Triggers:

  • Regulatory requirement (GDPR, PCI DSS, etc.)
  • Risk assessment finding
  • Security incident lesson learned
  • Business change (cloud adoption, remote work)

2. Research & Draft

  • Review industry standards (ISO 27001, NIST)
  • Benchmark against peer organisations
  • Consult legal/compliance teams
  • Draft policy using template

3. Stakeholder Review

  • IT/Security teams
  • Legal & compliance
  • HR (for personnel-related policies)
  • Business unit leaders
  • Privacy officer (for data policies)

4. Approval

  • SMB: CEO or Managing Director
  • Enterprise: CISO, CIO, or Board/Executive Committee
  • Regulated: May require board approval for key policies

5. Publication

  • Publish to intranet or policy management system
  • Version control (policy version, effective date)
  • Communicate changes to all staff

6. Training & Awareness

  • Mandatory acknowledgment for all staff
  • Role-specific training (e.g. developers for secure coding policy)
  • Regular refresher training

7. Enforcement

  • Monitoring compliance (audits, assessments)
  • Disciplinary procedures for violations
  • Reporting non-compliance

8. Review & Update

  • Frequency: Annually as minimum
  • Triggers: Regulatory change, major incident, business change
  • Process: Review, update, re-approve, republish

Policy Template Structure

1. Header

  • Policy Name: Descriptive title
  • Policy Owner: Role responsible (e.g. CISO)
  • Approval Authority: Who approved it (e.g. CEO, Board)
  • Effective Date: When it takes effect
  • Review Date: When next review is due
  • Version: Version number

2. Purpose

What: Brief statement of why the policy exists.

Example: "This policy establishes requirements for protecting personal data in compliance with UK GDPR and organisational privacy commitments."

3. Scope

What: Who and what the policy applies to.

Example: "This policy applies to all employees, contractors, and third parties who process personal data on behalf of [Organisation]."

4. Policy Statements

What: Mandatory requirements (the "must" statements).

Example: - "All personal data must be classified according to the Data Classification Standard." - "Data subjects' rights requests must be responded to within 30 days."

5. Roles & Responsibilities

What: Who is responsible for what.

Example: - Data Protection Officer: Oversees GDPR compliance - Data Owners: Classify and protect data in their domain - All Staff: Report data breaches immediately

6. Compliance & Enforcement

What: Consequences of non-compliance.

Example: "Violations of this policy may result in disciplinary action up to and including termination of employment."

7. Exceptions

What: Process for requesting policy exceptions.

Example: "Exceptions require CISO approval and must be documented with risk acceptance."

What: Links to related policies, standards, procedures.

Example: - Data Classification Standard - Data Breach Response Procedure - GDPR Subject Rights Procedure

9. Definitions (Optional)

What: Key terms used in the policy.

10. Revision History

What: Log of tracked changes.

Version Date Author Changes
1.0 2024-01-15 J. Smith Initial version
1.1 2025-01-20 J. Smith Updated retention periods

Sample Policy: Acceptable Use Policy (AUP)

Acceptable Use Policy

  • Policy Owner: Chief Information Security Officer
  • Approval Authority: Chief Executive Officer
  • Effective Date: 2026-01-20
  • Review Date: 2027-01-20
  • Version: 2.0

1. Purpose

This policy defines acceptable use of [Organisation]'s information technology resources to protect the organisation, its employees, and its data from security risks and legal liability.

2. Scope

This policy applies to all employees, contractors, consultants, temporary staff, and third parties who access [Organisation]'s IT resources, including but not limited to computers, networks, email, internet, and applications.

3. Policy Statements

Acceptable Use
  • IT resources are provided for business purposes. Limited personal use is permitted provided it does not interfere with job duties or violate this policy.
  • Users must protect their credentials and not share accounts.
  • Users must report suspected security incidents immediately to the IT Security team.
Prohibited Activities

The following activities are strictly prohibited:

  • Accessing, storing, or transmitting illegal, offensive, or discriminatory material
  • Unauthorised access to systems, networks, or data
  • Sharing credentials or allowing unauthorised persons to use your account
  • Installing unauthorised software or hardware
  • Bypassing or disabling security controls
  • Using IT resources for personal commercial gain
  • Sending unsolicited bulk email (spam)
  • Downloading or sharing pirated software, music, or video
  • Conducting port scanning, network sniffing, or penetration testing without authorisation
  • Attempting to gain unauthorised access to other users' data
Email & Communications
  • Email is monitored for security and compliance purposes.
  • Users must not send confidential information via unencrypted email.
  • Users must use professional and respectful language in all business communications.
Internet Use
  • Internet access is monitored and logged.
  • Access to certain categories of websites (malware, adult content, illegal activities) is blocked.
  • Excessive personal internet use that impacts productivity is prohibited.
Mobile Devices & Remote Access
  • Mobile devices accessing corporate resources must be enrolled in Mobile Device Management (MDM).
  • Remote access must use approved VPN or secure gateway.
  • Devices must be protected with passcode/biometric authentication.
Data Handling
  • Confidential data must be handled in accordance with the Data Classification Policy.
  • Data must not be stored on unauthorised cloud services (e.g. personal Dropbox).
  • Removable media (USB drives) must be encrypted if used for business data.

4. Roles & Responsibilities

All Users:

  • Comply with this policy
  • Report violations or security concerns
  • Complete annual security awareness training

Managers:

  • Ensure team members are aware of and comply with this policy
  • Address policy violations appropriately

IT Security Team:

  • Monitor compliance
  • Investigate suspected violations
  • Provide security awareness training

IT Department:

  • Implement technical controls to enforce policy
  • Provide approved IT resources

5. Monitoring

[Organisation] reserves the right to monitor, access, and disclose any data on its IT systems, including email, internet usage, and files, to ensure compliance with this policy and applicable laws.

Users have no expectation of privacy when using company IT resources.

6. Compliance & Enforcement

Violations of this policy may result in:

  • Warning and mandatory retraining
  • Suspension of IT access
  • Disciplinary action up to and including termination
  • Civil or criminal prosecution (for illegal activities)

7. Exceptions

Exceptions to this policy require written approval from the CISO. All exceptions must be documented with business justification and risk acceptance.

  • Information Security Policy
  • Data Classification Policy
  • Email Retention Policy
  • Remote Access Standard
  • BYOD Policy

9. Review

This policy will be reviewed annually or following significant changes to technology or business operations.

Policy Maintenance Best Practices

Version Control

  • Use semantic versioning (e.g. 1.0, 1.1, 2.0)
  • Major version for significant changes, minor for updates
  • Maintain revision history

Accessibility

  • Publish on easily accessible intranet
  • Make policies searchable
  • Provide summaries or quick-reference guides

Communication

  • Announce new or updated policies via email and intranet
  • Require acknowledgment (e.g. via policy management system)
  • Include in onboarding for new starters

Training

  • Annual security awareness training covering key policies
  • Role-specific training (e.g. developers, managers)
  • Test understanding (quizzes, scenarios)

Attestation

  • Annual policy acknowledgment by all staff
  • Track completion rates
  • Escalate non-compliance to managers

Review Cycle

  • Annual: Review all policies for currency
  • Triggered: Update when regulations, risks, or business change
  • Post-incident: Review and update policies after major incidents

Industry-Specific Requirements

Financial Services (FCA/PRA - UK)

  • Outsourcing policy: Required for material outsourcing arrangements
  • Operational resilience policy: Required under new regulations
  • Conflicts of interest policy: Required for regulated firms

Healthcare (NHS - UK)

  • IG Policy Framework: Required for NHS organisations
  • Data Protection & Confidentiality Policy: Aligned with NHS IG Toolkit (now DSPT)
  • Records Management Policy: NHS retention schedules

Healthcare (HIPAA - US)

  • Privacy Policy: Required under HIPAA Privacy Rule
  • Security Policy: Required under HIPAA Security Rule
  • Breach Notification Policy: Required for PHI breaches

Payment Card Industry (PCI DSS)

  • Information Security Policy: Required (PCI DSS Requirement 12.1)
  • Acceptable Use Policy: Required (12.3)
  • Incident Response Policy: Required (12.10)

Government (UK)

  • Security Policy Framework (SPF): Required for central government
  • Protective Marking Policy: Handling of OFFICIAL, SECRET classifications

Policy Management Tools

Tool Description Best For
SharePoint/Intranet Document libraries with version control SMBs, basic needs
PolicyTech (NAVEX) Dedicated policy management platform Enterprises, regulated industries
LogicManager GRC platform with policy module Risk-focused organisations
OneTrust Privacy and GRC platform Privacy-heavy compliance
Confluence/Notion Collaborative documentation Tech-forward organisations

Metrics & KPIs

Metric Description Target
Policy Currency % of policies reviewed within scheduled timeline 100%
Staff Acknowledgment % of staff who have acknowledged current policies 100%
Training Completion % of staff who completed annual security training 100%
Policy Violations Number of reported policy violations Decreasing trend
Exception Requests Number of policy exception requests (monitor for policy issues) Low, stable

Quick Selection Guide

Organisation Profile Recommended Policy Set Review Frequency
Startup (<10 staff) Acceptable Use, Data Protection, Incident Response (3 policies) Annually
Small business (<50) Core 6 policies Annually
Medium (50-500) 15-20 policies covering all key domains Annually
Large enterprise (500+) Comprehensive 25-30 policy framework Annually (critical), bi-annually (others)
Financial services Comprehensive + regulatory-specific (outsourcing, resilience) Annually, regulatory review cycles
Healthcare Comprehensive + privacy-focused (HIPAA, NHS IG) Annually, following regulatory updates
Technology/SaaS Comprehensive + development-focused (secure SDLC, cloud) Annually

Common Pitfalls

  1. Too many policies: Policy overload reduces compliance
  2. Too detailed: Policies should be strategic, not procedural
  3. Outdated policies: Not reviewed regularly, become irrelevant
  4. Inaccessible: Published but not easily found or understood
  5. No enforcement: Policies exist on paper only
  6. Unrealistic requirements: Policies that can't be implemented
  7. No training: Staff unaware of policy requirements
  8. One-size-fits-all: Copying policies without customisation