Trust, compliance & risk — kept in order · Est. audit calm
Status:All controls monitored
Pick a policy type, fill in a few details, and get a starter draft in the section structure auditors expect. It's a generic skeleton to start from, not legal advice or a finished policy — have your team and counsel customize it before adoption.
# [Company Name] — Information Security Policy _This is a generic starter draft, not legal advice. Have qualified counsel and your security lead review and customize it before adoption, and map it to the controls it actually satisfies._ ## Purpose This policy establishes [Company Name]'s commitment to protecting the confidentiality, integrity, and availability of information assets, and defines the framework under which more specific security policies and procedures operate. ## Scope This policy applies to all employees, contractors, and third parties who access [Company Name]'s systems, networks, or data, and to all information assets owned, leased, or managed by [Company Name]. ## Roles & responsibilities The Head of Security owns this policy and is responsible for its maintenance. All personnel are responsible for complying with this policy and reporting suspected security incidents. Management is responsible for ensuring adequate resources are available to support the security program. ## Risk management [Company Name] maintains a risk register that identifies, assesses, and tracks treatment of information security risks. Risks are reviewed at least annually and whenever significant changes occur to systems, vendors, or the threat landscape. ## Access control Access to systems and data is granted on a least-privilege, need-to-know basis and is reviewed periodically. See the Access Control Policy for detailed requirements. ## Asset management [Company Name] maintains an inventory of information assets, including systems, data classifications, and ownership, and applies protections appropriate to each asset's classification. ## Incident response Suspected or confirmed security incidents must be reported immediately per the Incident Response Policy. [Company Name] investigates, contains, and remediates incidents, and notifies affected parties as required by law or contract. ## Third-party & vendor risk Vendors with access to [Company Name] systems or data are assessed for security risk prior to engagement and periodically thereafter, per the Vendor Management Policy. ## Compliance & enforcement Violations of this policy may result in disciplinary action, up to and including termination of employment or contract. This policy is reviewed at least annually and updated as needed. ## Policy review Owner: Head of Security. Review cadence: annually. Last generated: 2026-07-02.