█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Risk Management and Governance/Security Policies and Standards
35 minBeginner

Security Policies and Standards

After this lesson, you will be able to: Understand security policies, ISO 27001, SOC 2, and write a basic acceptable use policy.

Policies are the bridge between risk identification and action. ISO 27001 and SOC 2 are the global gold-standard frameworks; an Acceptable Use Policy (AUP) is the simplest policy every org needs.

Prerequisites:Risk Assessment

ISO 27001 in one paragraph

International standard for Information Security Management Systems (ISMS). Annex A lists 93 controls (in the 2022 version). Certification by external auditor, yearly surveillance, recertification every 3 years. Often required for B2B contracts.

💡 SOC 2 in one paragraph

AICPA framework, US-centric, common in SaaS. Five Trust Service Criteria: Security (required), Availability, Processing Integrity, Confidentiality, Privacy. Type 1 = point-in-time; Type 2 = sustained over 6–12 months (more credible).

Anatomy of a security policy

  1. 1

    1. Purpose, why this policy exists.

  2. 2

    2. Scope, who/what it applies to.

  3. 3

    3. Policy statements, the rules.

  4. 4

    4. Roles & responsibilities.

  5. 5

    5. Enforcement, consequences.

  6. 6

    6. Review cadence, annual minimum.

Sample AUP excerpt

An Acceptable Use Policy fragment:

tsx
Purpose: Define acceptable use of company systems.
Scope: All employees, contractors, guests on the corporate network.
Policy:
1. Company devices may not be used for illegal activity.
2. Personal email and social media are permitted in moderation.
3. No company data may be stored on personal cloud accounts.
4. Strong passwords are required (12+ chars, MFA enforced).
Enforcement: Violations may result in disciplinary action up to termination.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Risk Assessment
Back to Risk Management and Governance
Compliance and Regulatory Frameworks→