Information Security Policy & Incident Response Plan – Document Builder 👷♂️ Please enable JavaScript in your browser to complete this form.Please enable JavaScript in your browser to complete this form. 🛡️ Policy Basics Organisation details, scope, and key contacts for this policy pack. Organisation Legal Name / Company *Security/Privacy Contact Email *Primary Contact Name *Website (optional)Country *Select your countryUnited StatesAustraliaBrazilCanadaChinaFranceGermanyIndiaItalyJapanMexicoNetherlandsNew ZealandNigeriaRussiaSingaporeSouth AfricaSouth KoreaSpainUnited Arab EmiratesUnited KingdomLanguage of the completed document *Select languageEnglishAfrikaansArabicDutchFrenchGermanHindiItalianJapaneseKoreanMandarin ChineseRussianSpanishZuluState/Province/Region (optional)Scope (systems, products, locations) *What does this policy cover? e.g., SaaS platform, internal network, customer data.Who must follow this policy? *EmployeesContractorsVendors/SuppliersCustomers (portal users)OtherIf 'Other', describeEffective Date *DateTimeNext Review Date (optional)DateTime 🏛️ Governance & Responsibilities Assign ownership, approvals, and training requirements. Policy Owner Role *SelectCEO/FounderCISO/Head of SecurityCTO/IT ManagerCompliance OfficerOperations ManagerHR ManagerOtherIf 'Other', specifyApproval Authority *SelectBoard/DirectorsCEO/FounderExecutive TeamCompliance OfficerOtherIf 'Other', specifySecurity Awareness Training Frequency *SelectOnboarding onlyAnnuallySemi-annuallyQuarterlyMonthlyOtherIf 'Other', specifyPolicy distribution methods *Internal wiki/intranetEmployee handbookEmail/Slack announcementSigned acknowledgementCustomer-facing website (public)OtherIf 'Other', specify 🔐 Access, Identity & Technical Controls Baseline technical controls: MFA, passwords, encryption, backups, logging, and vulnerability management. Is Multi-Factor Authentication (MFA) required? *SelectYes (all users)Yes (admins only)NoPassword Policy Baseline *SelectMinimum 12 charactersMinimum 14 charactersPassphrases (recommended)SSO only (no passwords)OtherIf 'Other', specifyAccount Provisioning & Deprovisioning *SelectJoiner/Mover/Leaver process documentedManual (ad-hoc)Not definedEncryption at Rest *SelectYes (AES-256 or equivalent)Yes (provider-managed)NoUnknownEncryption in Transit *SelectTLS 1.2+ requiredTLS 1.3 preferredNo/Not enforcedUnknownBackups Frequency *SelectDailyWeeklyReal-time/continuousNo backupsOtherIf 'Other', specifyLogging & Monitoring *SelectCentralised logging (SIEM)Basic logging onlyNo loggingOtherVulnerability Scanning *SelectContinuous (SAST/DAST)MonthlyQuarterlyAnnuallyNot performedPatch Management Cadence *SelectCritical within 72 hoursMonthly patchesQuarterly patchesAd-hocNot defined 🧾 Data Handling & Third Parties Classify data, retention, sharing, and vendor requirements. What data types do you handle? *Customer personal dataEmployee personal dataPayment dataHealth dataChildren’s dataBiometric dataConfidential business dataOtherIf 'Other', describeData Classification Scheme *SelectPublic / Internal / Confidential / RestrictedPublic / Internal / ConfidentialCustomNoneRetention Policy *SelectDefined retention scheduleRetain while account activeRetain indefinitelyOtherIf 'Other', specifyDo you use third-party processors/vendors? *SelectYesNoNot sureList key vendors/processors (optional)Vendor Contract Requirements *SelectData processing terms + security clausesStandard MSA onlyNot definedCross-Border Transfers *SelectYes (international)No (local only)Not sure 🚨 Incident Response Plan How you detect, respond, contain, notify, and recover from security incidents. Incident Response Team Roles *Incident CommanderSecurity LeadIT Ops/InfrastructureLegal/CompliancePR/CommsCustomer SupportExternal forensicsOtherIf 'Other', describeDetection Sources *SelectSIEM/alertsUser reportsVendor notificationsAutomated monitoringOtherSeverity Levels *SelectLow/Medium/High/CriticalP0/P1/P2/P3CustomDo you notify customers/regulators when required? *SelectYesNoNot sureNotification timeframes (optional)Evidence Handling *SelectPreserve logs & chain of custodyPreserve logs onlyNot definedEradication & Recovery *SelectDocumented playbooks (restore, rotate keys, patch)Ad-hocNot definedPost-Incident Review (lessons learned) ✍️ Acknowledgement & Sign-off Confirm understanding and approve the policy pack. Acknowledgements (must check all) *I understand this policy and will complyI will report suspected security incidents promptlyI understand violations may lead to disciplinary actionApprover Name (type full name) *Approver Title/Role *Approval Date *DateTimeAttachments (optional) Drag & Drop Files, Choose Files to Upload You can upload up to 5 files. Upload existing security policy, IR plan, or compliance evidence (optional).Generator PromptDocument TypeSource URLPhoneGenerate Draft Document
