At the heart of every ISMS process lie policies, meticulously crafted documents that dictate the various procedural guidelines and standards that a company must adhere to to ensure the utmost level of quality and security in its operations.
In Secfix, policies are not only stored documents, but living assets that can be reviewed, updated, approved, and maintained over time.
What are policies?
Policies are formal documents that outline an organization's approach to managing information security in accordance with the particular security framework. These policies serve as the foundation for an Information Security Management System (ISMS) and provide clear guidelines on how an organization protects its data, manages risks, and complies with regulatory requirements.
Policies are essential for ensuring that everyone in the organization understands their roles and responsibilities related to information security.
Why are policies important?
They provide clear guidelines for employees and stakeholders, and define roles and responsibilities
They ensure consistency in processes and decision-making, helping to mitigate risks and safeguard your organization
They support legal, regulatory, and certification requirements
Where to start: Policy templates
As a Secfix customer, you have access to ready-to-use policy templates that are a great starting point for building your own internal documentation.
These templates are based on proven structures used by Secfix customers to achieve certification and are available directly in the Policies section of the app.
You can download them in both:
English (EN)
German (DE)
Policy best practices
Your policies should reflect your organization’s real structure and processes.
We recommend starting from the templates and tailoring them to match your specific workflows, tools, and teams, while still meeting ISMS requirements.
Policies should also be maintained over time. In Secfix, each policy includes:
Version history
Employee approval tracking
Mapped compliance controls
Comments and internal collaboration
AI summaries of changes between versions
This helps ensure your documentation stays current as your organization evolves.
Roles working on Policies
While it's up to you who will be working on creating each policy, below you'll find our recommendation as to which department is usually the best fit for a specific policy. Bear in mind, this is just an example, and it can be different for your organization because of your size or structure.
Nº | Policy name | Role | Est. reading time [min] |
POL-00 | ISMS List of documents | HR/ Operations Manager | 5 |
POL-01 | Scope of the ISMS | HR/ Operations Manager | 80 |
POL-02 | Information Security Management System (“ISMS”) | HR/ Operations Manager | 80 |
POL-03 | Roles, Responsibilities, and Authorities | HR/ Operations Manager | 60 |
POL-04 | Information Security & Acceptable Use | HR/ Operations Manager | 120 |
POL-05 | Document Control | HR/ Operations Manager | 30 |
POL-06 | Information Security Communication Plan | HR/ Operations Manager | 30 |
POL-07 | Internal Audits | HR/ Operations Manager | 50 |
POL-08 | Cloud Security | Head of IT / Dev Ops | 80 |
POL-09 | Risk Management | HR/ Operations Manager | 90 |
POL-10 | Physical Security | HR/ Operations Manager | 50 |
POL-11 | Access Control | Head of IT / Dev Ops | 90 |
POL-12 | Cryptography | Head of IT / Dev Ops | 30 |
POL-13 | Asset Management | Head of IT / Dev Ops | 30 |
POL-14 | Data Management | HR/ Operations Manager | 80 |
POL-15 | Human Resource Security | HR/ Operations Manager | 60 |
POL-16 | Business Continuity and Disaster Recovery | Head of IT / Dev Ops | 80 |
POL-17 | Incident Management | Head of IT / Dev Ops | 40 |
POL-18 | Secure Development | Head of IT / Dev Ops | 50 |
POL-19 | Operations Security | Head of IT / Dev Ops | 60 |
POL-20 | Third Party Management | HR/ Operations Manager | 60 |
☝️ For compliance best practice, policy approval should be done by someone other than the uploader, and this warning comes up if the uploader tries to approve the policy. But we understand that in some companies, the policy creator and approver would be the same person, so you can approve anyway if that’s the case for your organization.
Secfix support
Working on your policies might prompt a lot of questions. Whether it's about a specific policy or a general concept, you can reach out to us for guidance on the chat inside the app. 💬