Templates

Defines the organization's overall approach to information security management, objectives, and principles.

Long-term strategic plan for information security aligned with business goals and ISO 27001 requirements.

Governs the process for requesting, evaluating, approving, and implementing changes to information systems.

Establishes a framework for classifying information assets based on sensitivity and business impact.

Defines permitted and prohibited uses of organizational information systems, assets, and networks.

Specifies controls for protecting personal and sensitive data in compliance with privacy regulations.

Defines rules and requirements for granting, managing, and revoking access to information systems.

Specifies requirements for creating, managing, and protecting passwords and authentication credentials.

Establishes security requirements for third-party suppliers who access organizational systems or data.

Defines consequences and procedures for handling information security policy violations by employees.

Establishes security requirements for employees working remotely or outside organizational premises.

Defines controls for physical access, perimeter security, and protection of facilities and equipment.

Specifies controls for working in secure areas including access restrictions and visitor management.

Requires employees to clear sensitive materials from desks and lock screens when unattended.

Specifies requirements for protecting organizational assets used outside the office environment.

Defines security controls for mobile devices including smartphones, tablets, and laptops.

Defines requirements for data storage, retention periods, and secure disposal of information assets.

Governs the use, handling, and disposal of removable storage media to prevent data leakage.

Defines controls for granting, managing, and monitoring privileged access to critical systems.

Mandates separation of development, test, and production environments to protect operational systems.

Restricts and governs access to source code repositories and version control systems.

Defines baseline security requirements for protecting information systems from threats and vulnerabilities.

Establishes controls to prevent unauthorized disclosure or transfer of sensitive organizational data.

Restricts software installation on organizational systems to approved and licensed applications only.

Defines security requirements for network design, configuration, and management.

Requires isolation of network segments to limit the blast radius of security incidents.

Governs the use of web filtering solutions to block access to malicious or inappropriate content.

Step-by-step process for identifying, reporting, and escalating information security incidents.

Governs the process for communicating security requirements and incidents with external parties.

Defines the methodology for identifying, analyzing, and evaluating information security risks.

Describes the end-to-end process for scanning, prioritizing, remediating, and tracking vulnerabilities.

Guides teams through implementing, testing, and validating security controls in projects.

Defines how to apply classification labels to documents, files, and information assets consistently.

Specifies approved methods and controls for transferring sensitive data between organizations or systems.

Defines the lifecycle for creating, modifying, and deactivating user accounts and digital identities.

Process for assessing, onboarding, monitoring, and offboarding third-party vendors from a security perspective.

Describes the process for conducting security audits and reviews of third-party suppliers.

Defines background check requirements and processes for candidates before employment begins.

Defines requirements and processes for delivering mandatory information security awareness training.

Step-by-step process for revoking access, retrieving assets, and managing obligations when employees leave.

Governs the process for requesting, granting, and revoking physical access to secure facilities.

Defines processes for monitoring temperature, humidity, power, and environmental factors in facilities.

Specifies secure processes for receiving, storing, transporting, and disposing of storage media.

Defines the process for securely destroying information assets to prevent unauthorized data recovery.

Governs the safe decommissioning of ICT equipment including data sanitization and disposal steps.

Defines management processes for power supplies, UPS systems, and utility infrastructure in facilities.

Defines the mandatory code review process to identify security vulnerabilities before deployment.

Describes the process for planning, executing, and documenting security tests including penetration testing.

Defines processes for capturing, preserving, and documenting digital evidence for investigations and audits.

Defines how configuration items are identified, controlled, documented, and audited throughout their lifecycle.

Specifies approved methods for securely deleting data from systems and storage media when no longer required.

Defines how DLP tools are configured, monitored, and how alerts are investigated and resolved.

Defines backup schedules, media, retention periods, and recovery testing for critical information systems.

Defines requirements for continuous monitoring of information systems, alerts, and security events.

Integrates security activities into each phase of the software development lifecycle.

Defines the process for evaluating, approving, and updating third-party libraries and software dependencies.

Checklist to ensure all access, assets, and obligations are addressed when an employee leaves.

Periodic review checklist for validating that user access rights remain appropriate and authorized.

Security evaluation checklist for assessing third-party suppliers during onboarding and periodic review.

Structured checklist for conducting on-site or remote security audits of third-party suppliers.

Security assessment checklist for cloud service providers covering data protection and compliance.

Ensures new employees complete all security tasks, training, and acknowledgments during onboarding.

Security configuration checklist for equipment used in remote work environments.

Checklist for auditing physical security controls at facilities including perimeters, locks, and monitoring.

Ensures all data wiping, physical destruction, and disposal documentation steps are completed.

Step-by-step checklist for verifying complete data removal from decommissioned ICT equipment.

Security hardening checklist for configuring endpoint devices including laptops and workstations.

Checklist for tracking security testing activities during development and pre-deployment phases.

Baseline hardening checklist for servers and information systems based on industry benchmarks.

Verification checklist ensuring personally identifiable information is masked in non-production environments.

Regular checklist for verifying that monitoring tools, alerts, and log reviews are functioning as required.

Checklist for verifying correct encryption implementation across data at rest, in transit, and key management.

Security-focused code review checklist covering OWASP Top 10 and common vulnerability patterns.

Checklist for static and dynamic application security testing activities during the development cycle.

Security hardening checklist for development environments to prevent unauthorized access and data leakage.

Centralized register for tracking all information assets including hardware, software, and data inventories.

Records all classified data sets with their classification level, owner, and handling requirements.

Formal form for requesting and documenting approved access to systems, applications, and data.

Tracks the schedule for periodic supplier security reviews, audits, and performance assessments.

Records employee security awareness training completion, dates, scores, and acknowledgments.

Annual schedule for information security training sessions, topics, and target audiences.

Structured form for documenting all details of an information security incident from detection to resolution.

Running log for tracking all reported security incidents, their status, and resolution outcomes.

Records all visitor entries to secure facilities including purpose, escort, and departure times.

Records temperature, humidity, power, and environmental alerts for data center and facility monitoring.

Tracks all removable media including USB drives, tapes, and optical media throughout their lifecycle.

Documents the approval workflow for granting privileged access rights to administrators.

Standardized log format for capturing security-relevant events across systems and applications.

Documents approved baseline configurations for systems, applications, and network devices.

Maps data types to their required retention periods and disposal methods per regulatory requirements.

Records all privileged user activities for accountability and forensic investigation purposes.

Maintained inventory of software applications approved for installation on organizational systems.

Documents approved baseline security settings for network devices including firewalls and routers.

Template for managing approved and blocked URLs in web content filtering systems.

Documents requests for and approvals of access to source code repositories.

Tracks the approval process for updating third-party libraries and software dependencies.

Defines Responsible, Accountable, Consulted, and Informed roles for all information security activities.

Formal role descriptions defining responsibilities for all information security functions.

Defines the mandate, membership, decision rights, and meeting cadence of the information security committee.

Supplementary security obligations to employment contracts covering confidentiality and acceptable use.

Technical requirements for multi-factor authentication, session management, and credential storage.

Technical and contractual security requirements for evaluating and onboarding cloud service providers.

Defines technical requirements for physical security controls including locks, barriers, and surveillance.

Specifies requirements for siting and protecting IT equipment against physical and environmental threats.

Defines baseline security configuration requirements for all endpoint devices in the organization.

Technical standards for integrating security into the software development process and environments.

Technical configuration requirements for development, test, staging, and production environments.

Defines quality and performance standards for information system security services delivery.

Technical specifications for data masking, tokenization, and pseudonymization to protect sensitive data.

Defines security requirements for network design patterns, segmentation, and perimeter controls.

Security requirements for network services including DNS, DHCP, VPN, and other infrastructure services.

Approved cryptographic algorithms, key lengths, and implementation requirements for protecting data.

Security requirements for application design, development, testing, and deployment based on OWASP guidance.

Security principles and requirements for enterprise system architecture and engineering decisions.

Programming guidelines and requirements to prevent common security vulnerabilities in code.

Technical requirements for accurate time synchronization across systems to support log correlation.

Comprehensive plan for maintaining critical business operations during and after a disruptive event.

Technical plan for recovering IT systems, data, and infrastructure after a disaster or major incident.

Defines requirements for redundant network paths, failover, and high availability configurations.

Technical requirements for configuring audit trails and log collection to meet compliance requirements.

Defines retention periods, storage requirements, and integrity protection for audit log data.

Governs the use, access, and management of security testing tools to prevent misuse.

Documents access rights and controls for testing environments containing security tools and test data.

Legal template for data processing agreements with suppliers handling personal or sensitive data.

Contractual addendum specifying security obligations for suppliers accessing organizational systems or data.

Legal template for non-disclosure agreements protecting confidential information shared with employees and partners.