Document ID: SOC2-SEC-POL-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Chief Information Security Officer
Purpose
This policy establishes [Organisation Name]‘s commitment to protecting the security, availability, processing integrity, confidentiality, and privacy of information and systems. It serves as the top-level security policy for SOC 2 Type II compliance and addresses the Common Criteria (CC) for the Security Trust Services Category.
1. Policy Statement
[Organisation Name] is committed to implementing and maintaining a comprehensive information security programme that protects the confidentiality, integrity, and availability of customer data and internal systems. Security is a shared responsibility across the entire organisation and must be embedded in all business processes.
2. Trust Services Categories in Scope
| Category | In Scope | Notes |
|---|---|---|
| Security (Common Criteria) | ✅ Yes | Required for all SOC 2 reports |
| Availability | ✅ Yes | Cloud-hosted services with uptime SLAs |
| Confidentiality | ✅ Yes | Customer data classified as confidential |
| Processing Integrity | ⬜ Optional | Include if applicable to your services |
| Privacy | ⬜ Optional | Include if personal data is processed |
3. Objectives
The organisation’s security objectives are to:
- Protect customer data — Prevent unauthorised access, disclosure, or modification of customer information entrusted to the organisation.
- Ensure system availability — Maintain systems at agreed uptime levels and recover from disruptions within defined RTO/RPO targets.
- Manage risk — Identify, assess, and treat security risks in a structured and ongoing process.
- Meet compliance obligations — Satisfy contractual, legal, and regulatory requirements including SOC 2 Type II, GDPR, and applicable data protection laws.
- Build a security culture — Ensure all personnel understand their security responsibilities and report incidents without hesitation.
4. Scope
This policy applies to:
- All production systems, infrastructure, and services used to deliver [Organisation Name]‘s products
- All customer data processed, stored, or transmitted by the organisation
- All employees, contractors, and third parties with access to in-scope systems
- All cloud environments (AWS, Azure, GCP) and third-party SaaS tools used in production
5. Governing Principles
| Principle | Requirement |
|---|---|
| Least Privilege | Access to systems and data is limited to what is required for the role |
| Defence in Depth | Multiple layers of security controls reduce reliance on any single control |
| Secure by Default | New systems are deployed in a secure state; access must be explicitly granted |
| Accountability | All access is logged and attributable to an individual identity |
| Continuous Improvement | Security controls are reviewed and improved based on risk assessment and incident findings |
6. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Board / Executive Team | Approve this policy; ensure adequate security resources |
| CISO | Own the security programme; report risk posture to leadership |
| Engineering / DevOps | Implement technical controls; participate in secure development |
| HR | Include security obligations in employment contracts; manage access on offboarding |
| All Staff | Comply with this policy; complete security training; report incidents |
| Legal / Compliance | Maintain awareness of regulatory obligations; advise on contractual requirements |
7. Supporting Policies
This policy is supported by:
- Access Control Policy
- Risk Assessment Procedure
- Incident Response Plan
- Change Management Policy
- Vendor Management Policy
- Business Continuity Plan
- Monitoring and Logging Policy
- Data Classification Policy
8. Enforcement
Violations of this policy may result in disciplinary action up to and including termination. In cases involving criminal activity, matters will be referred to law enforcement.
9. Review
This policy is reviewed annually or following a material security incident, significant system change, or audit finding. Updates require CISO approval and are communicated to all staff.
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [CISO Name] | Initial issue |