Defines acceptable use of company IT systems, devices, and data including internet, email, and cloud services.

Specifies password complexity, multi-factor authentication requirements, and authentication standards across all systems.

Defines processes and timescales for applying security updates and patches to all devices, operating systems, and software.

Establishes rules for network boundary protection, firewall configuration, and network segmentation.

Mandates anti-malware controls, scanning requirements, and response procedures for malware incidents.

Controls the use of removable storage devices including USB drives to prevent data loss and malware introduction.

Defines security requirements for remote and home working including VPN use, device security, and secure network access.

Top-level policy defining the organisation's commitment to information security governance and management.

Establishes processes for identifying, classifying, and managing all information assets across their lifecycle.

Defines security requirements, due diligence, and ongoing risk management for suppliers, vendors, and third parties.

Provides a framework for detecting, reporting, responding to, and recovering from security incidents and data breaches.

Documents procedures to maintain business operations and recover IT systems following a disruptive incident.

Sets out requirements for staff security awareness training including frequency, topics covered, and completion tracking.

Defines the methodology for identifying, assessing, treating, and regularly reviewing information security risks.

Documents the organisation's approach to personal data handling, individual rights, and retention in line with UK GDPR.