Professional Documents
Culture Documents
1_Policy Template Library Toolkit Introduction
1_Policy Template Library Toolkit Introduction
1_Policy Template Library Toolkit Introduction
Toolkit
CONTENTS
ABSTRACT
Policies are designed to formally document and communicate required and prohibited activities and behaviors to guide
enterprise operational processes. The Policy Template Library Toolkit provides a starting point to build and customize
the principles necessary to meet the needs of specific operational environments and compliance requirements.
behaviors to guide enterprise operational processes. The key terms and provide the reader with cross-references
Policy Template Library Toolkit provides enterprises with to other applicable policies that support compliance.
a starting point to build and customize the principles These two elements were intentionally not included in the
necessary to meet the needs of their specific operational templates in this policy library to allow enterprises to tailor
environments and compliance requirements. Accordingly, this information to their requirements. The enterprise will
the policy templates included in this library meet the also need to define the procedures that will support policy
noncompliance.
acceptable use of company computer systems is documented • User Access Management Policy—Ensure only authorized user
and communicated to reduce risk of system compromise or access and prevent unauthorized access to systems and
legal exposure. services.
• Artificial Intelligence (AI) Acceptable Use Policy—Ensure AI • Vulnerability Management Policy—Prevent exploitation of the
systems and tools are used only for authorized business technical vulnerabilities in company systems and underlying
purposes and in accordance with applicable law infrastructure.
unintentional system failure, disruption, or outage. • "Do Your Policy Documents Represent Current Practices?”1
• Information Classification and Protection Policy—Ensure that • "Six Steps to a Mature Policy Management Program”2
information is classified and protected at the appropriate level
• "Key Considerations for Developing Organizational Generative
and in accordance with its importance to the organization.
AI Policies”3
• Information Security Policy—Ensure access is limited to
• "A Decision Tree to Objectively Determine Policy Compliance”4
information and information processing resources.
ISACA recommends professionals work with the
• Logging and Monitoring Policy—Ensure a record of system
operational process control owner to customize each
events is stored for analysis, investigation, and resolution.
policy to the needs of the enterprise. Failure to sufficiently
• Network Security Policy—Ensure the company network is
document policies relevant to the enterprise could
protected from security breaches.
result in gaps in the development of the corresponding
• Personnel Security Policy—Ensure all rules for onboarding,
procedures, which should be designed to properly
transferring, and terminating employees are communicated.
manage and monitor the covered processes. These
1 Rose, V.; “Do Your Policy Documents Represent Current Practices?,” ISACA News and Trends, 3 August 2022, https://www.isaca.org/resources/news-
and-trends/newsletters/atisaca/2022/volume-31/do-your-policy-documents-represent-current-practices
2 Mullinger, M.; Bostelman, E.; “Six Steps to a Mature Policy Management Program,” ISACA Now Blog, 29 November 2021, https://www.isaca.org/
resources/news-and-trends/isaca-now-blog/2021/six-steps-to-a-mature-policy-management-program
3 Carmichael, M.; “Key Considerations for Developing Organizational Generative AI Policies,” ISACA News and Trends,
1 November 2023, https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2023/volume-44/key-considerations-for-developing-
organizational-generative-ai-policies
4 Doret, D.; “A Decision Tree to Objectively Determine Policy Compliance,” ISACA Journal, Volume 3, 20 May 2020, https://www.isaca.org/resources/
isaca-journal/issues/2020/volume-3/a-decision-tree-to-objectively-determine-policy-compliance
Acknowledgments
ISACA would like to recognize:
Expert Reviewers
Acceptable Use (Company Systems) Geetha Murugesan Patricia Voight
Policy Experts CISA, CGEIT, CRISC, CDPSE, COBIT 5 CISA, CISM, CGEIT, CRISC, CDSPE
Irene Agyei Implementor & Assessor Senior Managing Director, Head of IT,
CISA Principal Consultant, India First Line Risk Management, Webster
Bank, USA
Senior IT Governance and Compliance Nancy Thompson
Analyst, First America, USA Data Backup Policy Experts
CISA, CISM, CGEIT, PMP
Mahesh Channapatna Girish Executive Managing IT Assessment & Andreea-Alexandra AMEUR
CISA Audit Consultant, NJT Cybersecurity, CISA, CSX-F, ACCA Fundamentals, ECDL,
USA ISO27001 LA
Consultant, IT Security, Keypoint, Bahrain
Clear Desk Policy Experts Corporate Audit & Forensic Information
Stephen Muasya Management, AIRBUS S.A.S., France
Yomi Onabanjo
CISA
Tabish Qureshi
CISA, CISM, AgileBA, AgilePM, APMG
IT Governance, Risk & Compliance
Change Management Practitioner, AWS CISA, CISM, CASP, CEH, MCS, PMP,
Manager, MARA, Kenya
Cloud Practitioner, ITIL 4 Managing Prince 2, SAP
Avinash de Silva Professional, ITIL 4 Strategic Leader, IT Manager, Bina Holding, Saudia Arabia
MIET, MSP, PROSCI
Head of Technology, Alvarium, New
Assistant Director, UK Government/UK Information Classification and
Zealand
Civil Service, United Kingdom Protection Policy Experts
AI Acceptable Use Policy Experts
Saambavy Shanmuganantham Lionel Jayasinghe
Kevin Fumai CISA, COBIT 5, AI-ML (Stanford), MBCS,
CISA, MBA, SAFe
CDPSE, CEET, CIPM, CIPP/US/E, CIPT, MCSSL, PMP
Audit Manager, TD Bank Group, Canada
FIP, PLS IT Consultant, Sri Lanka
USA Karen Tinucci
Harrison Okonma
CISA, CISM, CGEIT, CRISC
Tim Nedyalkov CISA, CISM, ITIL, PMP
Management Consultant, USA
CISA, CISM, CGEIT, CRISC, CDPSE, C| IT Security and Business Solutions
CISO, CCSP, CISSP, ISO 27001 LA Cloud Computing Services Usage Policy Manager, Japan Tobacco International
TISO, Commonwealth Bank of Australia, Experts (JTI), Nigeria
Australia
John Chun Yin Chiu Information Security Policy Experts
Hastings Nyekanyeka CISA, CISM, CDPSE, CCSK Chetan Anand
CISA, CISM, CRISC, ITIL, ISO 9001 QMS- Hong Kong CDPSE, AI for India 2.0 Guvi Certification,
LA, PCIP
CCIO, CPEW, CPISI, ICBIS, ICCP, ICOSA,
Senior Director, IT Security, Affinity Credit Sydney Jerah
IRAM2, ISO 22301 LA, ISO 27001 LA, ISO
Union, Canada CISM, CC, CEH 27701, ISO 31000, ISO 9001 LA, Lean
Information Security Analyst, Mimosa Six Sigma Green Belt, NLSIU Privacy
Sieuwert van Otterloo
Mining Company, Zimbabwe and Data Protection Laws, SQAM/Agile
CISA, CIPP/E Scrum Master, United Nations Office on
IT Expert, ICT Institute, Netherlands Hakan Ozcan Drugs and Crime
CompTIA Security+ AVP, Information Security and CISO,
Change Management Policy Experts Profinch Solutions, India
Cyber Security (GRC) Analyst, Securtia,
Ibrahim Bello USA Rajani Kanth Potturi
CISM, CRISC, CDPSE, CASP+, CFCM, Sakthiswaran Rangaraju CISM
CGRC, CPCM, CySA+, MTA, PMP,
Security+ CISA, CDPSE, CIA, CISSP Integrity, Security, Support, and
Product Security Incident Manager, Pure Operations (ISSO) Governance, Risk, and
IT Specialist (INFOSEC), U.S. Department Compliance (GRC) Lead, Meta Platforms
of State, USA Storage, USA
Inc. (Facebook Inc.), USA
Acknowledgments (cont.)
Acknowledgments (cont.)
Board of Directors
John De Santis, Chair Pamela Nigro
Former Chairman and Chief Executive ISACA Board Chair 2022-2023
Officer, HyTrust, Inc., USA CISA, CGEIT, CRISC, CDPSE, CRMA
Brennan P. Baybeck, Vice-Chair Vice President, Security, Medecision, USA
CISA, CISM, CRISC, CISSP Gregory Touhill
Senior Vice President and Chief ISACA Board Chair 2021-2022
Information Security Officer for
Customer Services, Oracle Corporation, CISM, CISSP
USA Director of the CERT Division at Carnegie
Mellon University’s Software Engineering
Stephen Gilfus
Institute, USA
Managing Director, Oversight Ventures
LLC, Chairman, Gilfus Education Group Tracey Dedrick
and Founder, Blackboard Inc., USA ISACA Board Chair, 2020-2021
Niel Harper Former Chief Risk Officer, Hudson City
Bancorp, USA
CISA, CRISC, CDPSE, CISSP, NACD.DC
Former Chief Information Security
Officer, United Nations Office for Project
Services (UNOPS), USA
Gabriela Hernandez-Cardoso
NACD.DC
Independent Board Member, Mexico
Jason Lau
CISA, CISM, CGEIT, CRISC, CDPSE, CIPM,
CIPP/E, CIPT, CISSP, FIP, HCISPP
Chief Information Security Officer,
Crypto.com, Singapore
Massimo Migliuolo
Independent Director, Former Chief
Executive Officer and Executive Director,
VADS Berhad Telekom, Malaysia
Maureen O’Connell
NACD.DC
Board Chair, Acacia Research (NASDAQ),
Former Chief Financial Officer and Chief
Administration Officer, Scholastic, Inc.,
USA
Erik Prusch
Chief Executive Officer, ISACA, USA
Asaf Weisberg
CISA, CISM, CGEIT, CRISC, CDPSE, CSX-P
Chief Executive Officer, introSight Ltd.,
Israel
About ISACA
®
ISACA (www.isaca.org) is a global community advancing individuals and 1700 E. Golf Road, Suite 400
organizations in their pursuit of digital trust. For more than 50 years, ISACA Schaumburg, IL 60173, USA
has equipped individuals and enterprises with the knowledge, credentials,
education, training, and community to progress their careers, transform their Phone: +1.847.660.5505
organizations, and build a more trusted and ethical digital world. ISACA is a Fax: +1.847.253.1755
global professional association and learning organization that leverages the
expertise of its 170,000 members who work in digital trust fields such as Support: support.isaca.org
information security, governance, assurance, risk, privacy, and quality. It has Website: www.isaca.org
a presence in 188 countries, including 225 chapters worldwide. Through the
ISACA Foundation, ISACA supports IT education and career pathways for
underresourced and underrepresented populations.
procedures and tests or exclusive of other information, procedures and tests Facebook:
www.facebook.com/ISACAGlobal
that are reasonably directed to obtaining the same results. In determining
Instagram:
the propriety of any specific information, procedure or test, professionals www.instagram.com/isacanews/
should apply their own professional judgment to the specific circumstances
presented by the particular systems or information technology environment.
RESERVATION OF RIGHTS