Policy Template Library

Toolkit

Governance © 2024 ISACA. All rights reserved.

2 POLICY TEMPLATE LIBRARY TOOLKIT

CONTENTS

4 Policy Template Library Toolkit

4 / Introduction
5 / Scope
5 / Getting Started With the Policy Template
Library Toolkit
7 Acknowledgments

© 2024 ISACA. All Rights Reserved.

 3 POLICY TEMPLATE LIBRARY TOOLKIT

ABSTRACT
Policies are designed to formally document and communicate required and prohibited activities and behaviors to guide
enterprise operational processes. The Policy Template Library Toolkit provides a starting point to build and customize
the principles necessary to meet the needs of specific operational environments and compliance requirements.

© 2024 ISACA. All Rights Reserved.

 4 POLICY TEMPLATE LIBRARY TOOLKIT

Policy Template Library Toolkit

Introduction • Objective 4—Establish a timeline for periodic review and

approval of the policy.

The primary purpose of a policy is to formally document
and communicate required and prohibited activities and An effective policy framework will include definitions of

behaviors to guide enterprise operational processes. The key terms and provide the reader with cross-references

Policy Template Library Toolkit provides enterprises with to other applicable policies that support compliance.

a starting point to build and customize the principles These two elements were intentionally not included in the

necessary to meet the needs of their specific operational templates in this policy library to allow enterprises to tailor

environments and compliance requirements. Accordingly, this information to their requirements. The enterprise will

the policy templates included in this library meet the also need to define the procedures that will support policy

following objectives: compliance.

• Objective 1—Define the purpose and owner(s) of the policy.

Practitioners seeking to evaluate an enterprise policy
framework may consider the following questions while
• Objective 2—Describe the parties (employees, contractors,
assessing where the enterprise stands on the capability
third parties, etc.) expected to comply with the policy.
continuum (see figure 1).
• Objective 3—Communicate the roles and responsibilities for

the key activities defined in the policy and the consequences of

noncompliance.

FIGURE 1: Example Capability Criteria to Evaluate Enterprise Policy

• Does a documented policy exist?

• Is the policy scope defined and adequate?
Initiate • Are the policy owner(s) identified?
• Is the policy socialized with key stakeholders?
• Is the policy approved by the owner(s)?

• Is the policy updated (and the owner approved) periodically?

• Are policy revisions tracked and dated?
Established • Is the policy available on demand (e.g., in a document repository)?
• Is policy access restricted where appropriate?

• Is compliance with the policy actively monitored?

• Does the policy contain an exception handling and
Performed approval mechanism?
• Does the entire enterprise (or department/focus area) comply
with the policy?

• Is compliance monitoring for the policy automated?

Measured • Does the policy explain the consequences of noncompliance?
• Is the policy retired when it has become obsolete?

© 2024 ISACA. All Rights Reserved.

 5 POLICY TEMPLATE LIBRARY TOOLKIT

Scope • Removable Media Handling Policy—Ensure unauthorized

disclosure, modification, removal, or destruction of information

The following are the objectives of the information and stored on removable media is prevented.
technology policies included in the Policy Template Library
• Third-Party Management Policy—Ensure third-party (including
Toolkit:
supplier and vendor) management is effectively managed to

• Acceptable Use (Company Systems) Policy—Ensure the minimize risk.

acceptable use of company computer systems is documented • User Access Management Policy—Ensure only authorized user
and communicated to reduce risk of system compromise or access and prevent unauthorized access to systems and
legal exposure. services.

• Artificial Intelligence (AI) Acceptable Use Policy—Ensure AI • Vulnerability Management Policy—Prevent exploitation of the
systems and tools are used only for authorized business technical vulnerabilities in company systems and underlying
purposes and in accordance with applicable law infrastructure.

• Change Management Policy—Ensure change management is

properly controlled to reduce risk

Getting Started With the Policy
• Clear Desk Policy—Reduce the risk that workspaces and/or

unattended devices will lead to compromised information (i.e.,

data breaches and identity thefts) due to unauthorized access,
use, damage, or loss of sensitive information.
• Cloud Computing Services Usage Policy—Ensure company
data is properly stored, managed, and protected when relying
on third-party cloud service providers (CSPs).
Template Library Toolkit
To access the policy templates, users can simply
download the zip file (of which this file is a part) and
extract the policy template files(s) they want to explore.
Files can be saved locally and edited to tailor the policy
to a specific enterprise context. As an enterprise embarks

• Data Backup Policy—Ensure company data is backed up,

on an initiative to develop policies relevant to its business,

recovered, and restored in the event of an intentional or

there are several ISACA resources that can help:

unintentional system failure, disruption, or outage. • "Do Your Policy Documents Represent Current Practices?”1
• Information Classification and Protection Policy—Ensure that • "Six Steps to a Mature Policy Management Program”2
information is classified and protected at the appropriate level
• "Key Considerations for Developing Organizational Generative
and in accordance with its importance to the organization.
AI Policies”3
• Information Security Policy—Ensure access is limited to
• "A Decision Tree to Objectively Determine Policy Compliance”4
information and information processing resources.
ISACA recommends professionals work with the
• Logging and Monitoring Policy—Ensure a record of system
operational process control owner to customize each
events is stored for analysis, investigation, and resolution.
policy to the needs of the enterprise. Failure to sufficiently
• Network Security Policy—Ensure the company network is
document policies relevant to the enterprise could
protected from security breaches.
result in gaps in the development of the corresponding
• Personnel Security Policy—Ensure all rules for onboarding,
procedures, which should be designed to properly
transferring, and terminating employees are communicated.
manage and monitor the covered processes. These

1 Rose, V.; “Do Your Policy Documents Represent Current Practices?,” ISACA News and Trends, 3 August 2022, https://www.isaca.org/resources/news-
and-trends/newsletters/atisaca/2022/volume-31/do-your-policy-documents-represent-current-practices
2 Mullinger, M.; Bostelman, E.; “Six Steps to a Mature Policy Management Program,” ISACA Now Blog, 29 November 2021, https://www.isaca.org/
resources/news-and-trends/isaca-now-blog/2021/six-steps-to-a-mature-policy-management-program
3 Carmichael, M.; “Key Considerations for Developing Organizational Generative AI Policies,” ISACA News and Trends,
1 November 2023, https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2023/volume-44/key-considerations-for-developing-
organizational-generative-ai-policies
4 Doret, D.; “A Decision Tree to Objectively Determine Policy Compliance,” ISACA Journal, Volume 3, 20 May 2020, https://www.isaca.org/resources/
isaca-journal/issues/2020/volume-3/a-decision-tree-to-objectively-determine-policy-compliance

© 2024 ISACA. All Rights Reserved.

 6 POLICY TEMPLATE LIBRARY TOOLKIT

gaps could lead to control deficiencies that result in

reputational damage, adverse litigation, and/or regulatory
fines for the enterprise.

© 2024 ISACA. All Rights Reserved.

 7 POLICY TEMPLATE LIBRARY TOOLKIT

Acknowledgments
ISACA would like to recognize:

Expert Reviewers
Acceptable Use (Company Systems) Geetha Murugesan Patricia Voight
Policy Experts CISA, CGEIT, CRISC, CDPSE, COBIT 5 CISA, CISM, CGEIT, CRISC, CDSPE
Irene Agyei Implementor & Assessor Senior Managing Director, Head of IT,
CISA Principal Consultant, India First Line Risk Management, Webster
Bank, USA
Senior IT Governance and Compliance Nancy Thompson
Analyst, First America, USA Data Backup Policy Experts
CISA, CISM, CGEIT, PMP
Mahesh Channapatna Girish Executive Managing IT Assessment & Andreea-Alexandra AMEUR
CISA Audit Consultant, NJT Cybersecurity, CISA, CSX-F, ACCA Fundamentals, ECDL,
USA ISO27001 LA
Consultant, IT Security, Keypoint, Bahrain
Clear Desk Policy Experts Corporate Audit & Forensic Information
Stephen Muasya Management, AIRBUS S.A.S., France
Yomi Onabanjo
CISA
Tabish Qureshi
CISA, CISM, AgileBA, AgilePM, APMG
IT Governance, Risk & Compliance
Change Management Practitioner, AWS CISA, CISM, CASP, CEH, MCS, PMP,
Manager, MARA, Kenya
Cloud Practitioner, ITIL 4 Managing Prince 2, SAP
Avinash de Silva Professional, ITIL 4 Strategic Leader, IT Manager, Bina Holding, Saudia Arabia
MIET, MSP, PROSCI
Head of Technology, Alvarium, New
Assistant Director, UK Government/UK Information Classification and
Zealand
Civil Service, United Kingdom Protection Policy Experts
AI Acceptable Use Policy Experts
Saambavy Shanmuganantham Lionel Jayasinghe
Kevin Fumai CISA, COBIT 5, AI-ML (Stanford), MBCS,
CISA, MBA, SAFe
CDPSE, CEET, CIPM, CIPP/US/E, CIPT, MCSSL, PMP
Audit Manager, TD Bank Group, Canada
FIP, PLS IT Consultant, Sri Lanka
USA Karen Tinucci
Harrison Okonma
CISA, CISM, CGEIT, CRISC
Tim Nedyalkov CISA, CISM, ITIL, PMP
Management Consultant, USA
CISA, CISM, CGEIT, CRISC, CDPSE, C| IT Security and Business Solutions
CISO, CCSP, CISSP, ISO 27001 LA Cloud Computing Services Usage Policy Manager, Japan Tobacco International
TISO, Commonwealth Bank of Australia, Experts (JTI), Nigeria
Australia
John Chun Yin Chiu Information Security Policy Experts
Hastings Nyekanyeka CISA, CISM, CDPSE, CCSK Chetan Anand
CISA, CISM, CRISC, ITIL, ISO 9001 QMS- Hong Kong CDPSE, AI for India 2.0 Guvi Certification,
LA, PCIP
CCIO, CPEW, CPISI, ICBIS, ICCP, ICOSA,
Senior Director, IT Security, Affinity Credit Sydney Jerah
IRAM2, ISO 22301 LA, ISO 27001 LA, ISO
Union, Canada CISM, CC, CEH 27701, ISO 31000, ISO 9001 LA, Lean
Information Security Analyst, Mimosa Six Sigma Green Belt, NLSIU Privacy
Sieuwert van Otterloo
Mining Company, Zimbabwe and Data Protection Laws, SQAM/Agile
CISA, CIPP/E Scrum Master, United Nations Office on
IT Expert, ICT Institute, Netherlands Hakan Ozcan Drugs and Crime
CompTIA Security+ AVP, Information Security and CISO,
Change Management Policy Experts Profinch Solutions, India
Cyber Security (GRC) Analyst, Securtia,
Ibrahim Bello USA Rajani Kanth Potturi
CISM, CRISC, CDPSE, CASP+, CFCM, Sakthiswaran Rangaraju CISM
CGRC, CPCM, CySA+, MTA, PMP,
Security+ CISA, CDPSE, CIA, CISSP Integrity, Security, Support, and
Product Security Incident Manager, Pure Operations (ISSO) Governance, Risk, and
IT Specialist (INFOSEC), U.S. Department Compliance (GRC) Lead, Meta Platforms
of State, USA Storage, USA
Inc. (Facebook Inc.), USA

© 2024 ISACA. All Rights Reserved.

 8 POLICY TEMPLATE LIBRARY TOOLKIT

Acknowledgments (cont.)

Anamika Roy Nandita Narla User Access Management Policy Experts

CISA, CISM, Chartered Accountant, CIA CISA, CISM, CRISC, CDPSE, CIPM, CIPP, Rashad Holloway
CIPT, FIP
AVP IT Audit, Zurich Insurance Company, CISA, CISM, CDPSE
USA Head of Technical Privacy and
Governance, DoorDash, USA Systems Accountant/Information
Curtis Simms Systems Manager, USA
Removable Media Handling Policy
CISA, CISM, CDPSE, CEH, CHFI, CSX-P, Bijoy Kuttappan
Experts
GRCA, GRCP
CISM
Head of Information Security, Karthick Raj Elangovan
NeueHealth, USA Head of IAM, Westpac, Australia
CISA, CISM
Logging and Monitoring Policy Experts Senior Information Security Advisor, Siddharth Venkatesan
Insilico Medicine, Canada CGEIT, CRISC, AWS Certified Solution
Alicia Blackett Architect, Microsoft Certified: Azure
Omar Khan Fundamentals
ISO 27001 LA, ISO 27001 LI
CISA IT Risk Manager, National Bank of
CISO, RDA Analytics BV, Netherlands
Manager, RiNA, Italy Kuwait, Kuwait
Arron Johnson
Third-Party Management Policy Experts Vulnerability Management Policy
CISM, CRISC, CCSK, CISSP
Experts
DevOps Security Architect, The Access Christopher Coyne
Group, United Kingdom Mawulawe Akakpovi
CISA, CRISC, CA, CIA
CISA
Weam Malik Associate Director, Protiviti, Australia
IS Controller & Audit, ORAGROUP SA,
CISA Jamie Beth Maragas Lome, Togo
IT Auditor, Kenana Sugar Company, CISM, CRISC, CDPSE, AWS-CP, CBCLA
Egypt (ISO 22301), CBCP, CCSK v4, CIPM, Divya Aradhya
CIPP/E, CISSP, HITRUST CCSFP, ISO/IEC CISM, CISSP, MS Cybersecurity, Security+
Vaibhav Patkar
27001 LA, MPA TPN-QA (Cloud/Site) SVP, Senior Application Security
CISA, CISM, CGEIT, CRISC, CDPSE, CCSK,
COO & Global Security Compliance Architect, Citi, USA
CISSP
Assessor, Crafted Compliance, Inc., dba
India RedPenSec, USA Demetri Gittens
CISA, CRISC, CDPSE, CMIRM
Network Security Policy Experts Péter Matavovszky
IT Governance & Risk Assessment
Thomas Lenzenhofer CISM Officer, Central Bank of Trinidad &
CISA, CISM, CDPSE, CISSP IT Manager Employee Experience, La Tobago, Trinidad & Tobago
Prairie Group, Switzerland
Solution Development Architect, Security Valerie Quek
Services, Cisco Systems, Australia Kane Porter CISA, CEH, CISSP
Tabish Qureshi CISA, COBIT, CA, CPA Technology Risk Manager, Bank of
CISA, CISM, CASP, CEH, MCS, PMP, SVP, Compliance, Peoples Trust America, Singapore
Prince 2, SAP Company, Canada
IT Manager, Bina Holding, Saudia Arabia Aninda K. Sadhukhan
Personnel Security Policy Experts CISA
IT Audit Director – QMR, Audit Quality
Sydney Jerah
and Risk, Grant Thornton, LLP, USA
CISM, CC, CEH
Information Security Analyst, Mimosa
Mining Company, Zimbabwe

© 2024 ISACA. All Rights Reserved.

 9 POLICY TEMPLATE LIBRARY TOOLKIT

Acknowledgments (cont.)

Board of Directors
John De Santis, Chair
Former Chairman and Chief Executive
Officer, HyTrust, Inc., USA
Brennan P. Baybeck, Vice-Chair
CISA, CISM, CRISC, CISSP
Senior Vice President and Chief
Information Security Officer for
Customer Services, Oracle Corporation,
USA
Stephen Gilfus
Managing Director, Oversight Ventures
LLC, Chairman, Gilfus Education Group
and Founder, Blackboard Inc., USA
Niel Harper
CISA, CRISC, CDPSE, CISSP, NACD.DC
Former Chief Information Security
Officer, United Nations Office for Project
Services (UNOPS), USA
Pamela Nigro
ISACA Board Chair 2022-2023
CISA, CGEIT, CRISC, CDPSE, CRMA
Vice President, Security, Medecision, USA
Gregory Touhill
ISACA Board Chair 2021-2022
CISM, CISSP
Director of the CERT Division at Carnegie
Mellon University’s Software Engineering
Institute, USA
Tracey Dedrick
ISACA Board Chair, 2020-2021
Former Chief Risk Officer, Hudson City
Bancorp, USA

Gabriela Hernandez-Cardoso
NACD.DC
Independent Board Member, Mexico

Jason Lau
CISA, CISM, CGEIT, CRISC, CDPSE, CIPM,
CIPP/E, CIPT, CISSP, FIP, HCISPP
Chief Information Security Officer,
Crypto.com, Singapore

Massimo Migliuolo
Independent Director, Former Chief
Executive Officer and Executive Director,
VADS Berhad Telekom, Malaysia

Maureen O’Connell
NACD.DC
Board Chair, Acacia Research (NASDAQ),
Former Chief Financial Officer and Chief
Administration Officer, Scholastic, Inc.,
USA

Erik Prusch
Chief Executive Officer, ISACA, USA

Asaf Weisberg
CISA, CISM, CGEIT, CRISC, CDPSE, CSX-P
Chief Executive Officer, introSight Ltd.,
Israel

© 2024 ISACA. All Rights Reserved.

 10 POLICY TEMPLATE LIBRARY TOOLKIT

About ISACA
®
ISACA (www.isaca.org) is a global community advancing individuals and 1700 E. Golf Road, Suite 400
organizations in their pursuit of digital trust. For more than 50 years, ISACA Schaumburg, IL 60173, USA
has equipped individuals and enterprises with the knowledge, credentials,
education, training, and community to progress their careers, transform their Phone: +1.847.660.5505

organizations, and build a more trusted and ethical digital world. ISACA is a Fax: +1.847.253.1755
global professional association and learning organization that leverages the
expertise of its 170,000 members who work in digital trust fields such as Support: support.isaca.org

information security, governance, assurance, risk, privacy, and quality. It has Website: www.isaca.org
a presence in 188 countries, including 225 chapters worldwide. Through the
ISACA Foundation, ISACA supports IT education and career pathways for
underresourced and underrepresented populations.

DISCLAIMER Participate in the ISACA Online

Forums:
https://engage.isaca.org/onlineforums
ISACA has designed and created Policy Template Library Toolkit (the “Work”)
primarily as an educational resource for professionals. ISACA makes no X: www.x.com/ISACANews
claim that use of any of the Work will assure a successful outcome. LinkedIn:
The Work should not be considered inclusive of all proper information, www.linkedin.com/company/isaca

procedures and tests or exclusive of other information, procedures and tests Facebook:
www.facebook.com/ISACAGlobal
that are reasonably directed to obtaining the same results. In determining
Instagram:
the propriety of any specific information, procedure or test, professionals www.instagram.com/isacanews/
should apply their own professional judgment to the specific circumstances
presented by the particular systems or information technology environment.

RESERVATION OF RIGHTS

© 2024 ISACA. All rights reserved.

Policy Template Library Toolkit

979-8-89227-009-0

© 2024 ISACA. All Rights Reserved.