Skip to main content

General Policies


Source: https://secureframe.com/hub/soc-2/policies-and-procedures

All SOC 2 examinations involve an auditor review of your organization’s policies.

Policies must be documented, formally reviewed, and accepted by employees.

Each policy supports an element of the overall security and approach to handling customer data.

All Policies Must follow and include details for which an Auditor looks for.

(Must be formal, dated, and approved — auditors will check version history)


  • [OPS] Acceptable Use Policy – Defines network, system, and device usage rules, removable media, password requirements, issuance/return of devices.
  • [TECH] Access Control Policy – Defines who will have access to company systems and how often permissions will be reviewed.
  • [TECH] Business Continuity Plan – Defines how employees will respond to disruptions to keep business running.
  • [TECH] Change Management Policy – Defines how system changes will be documented and communicated.
  • [OPS] Confidentiality Policy – Defines handling of confidential information about clients, partners, or the company.
  • [OPS] Code of Conduct Policy – Defines expected behavior of employees and employers at work.
  • [TECH] [OPS] Data Classification Policy – Defines classification of sensitive data by risk level.
  • [TECH] Disaster Recovery Policy – Defines how to recover from disasters and maintain minimal operations.
  • [TECH] Encryption Policy – Defines which data is encrypted and how.
  • [TECH] Incident Response Plan – Defines roles and responsibilities during a breach or investigation.
  • [TECH] [OPS] Information Security Policy – Defines overall approach to information security and reasons for processes.
  • [TECH] Information, Software, and System Backup Policy – Defines how business application data is stored for recovery.
  • [TECH] Logging and Monitoring Policy – Defines which logs are collected, monitored, and how systems are configured for logging.
  • [OPS] Physical Security Policy – Defines how physical access is monitored and secured at company locations.
  • [TECH] Password Policy – Defines strong password, manager, and expiration requirements.
  • [TECH] [OPS] Remote Access Policy – Defines who can work remotely, connection types, and protection measures.
  • [TECH] [OPS] Risk Assessment and Risk Mitigation Plan – Defines potential threats and preventive actions.
  • [TECH] Software Development Lifecycle Policy – Defines secure build, testing, and compliance for software.
  • [TECH] [OPS] Vendor Management Policy – Defines vendors that may introduce risk and controls to mitigate.
  • [TECH] [OPS] Workstation Security Policy – Defines how to secure employee workstations against loss and unauthorized access.





Back to top