Demo · sample data, not for production use · request the real tool →

Information Security Policy

Top-level security policy defining the company's commitment to confidentiality, integrity, and availability of information assets.

SecurityPublished

Current version · v3.2

Effective 1/15/2026 — approved by CEO

Information Security Policy

1. Purpose

This information security policy establishes the requirements, responsibilities, and expectations governing how AC5 Labs Demo Co protects information assets, manages risk, and meets its contractual and regulatory obligations. It applies to all employees, contractors, interns, and third parties acting on behalf of the company.

2. Scope

This policy covers all information systems, devices, networks, facilities, and data — whether owned, leased, or operated under contract — that are used to conduct company business. It applies regardless of location and includes remote work, customer environments, and bring-your-own-device arrangements.

3. Roles & Responsibilities

The CISO owns this policy and is accountable for its content, approval cycle, and exceptions. Department heads are responsible for operationalizing the policy within their teams and ensuring relevant personnel attest within thirty (30) days of hire and annually thereafter.

4. Policy Statements

4.1 The company shall maintain documented controls aligned with the cross-referenced framework requirements listed at the end of this policy.

4.2 Exceptions to this policy must be requested in writing, justified by a documented business need, time-bound, and approved by the policy owner. All approved exceptions shall be logged and reviewed at least annually.

4.3 Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and where applicable, civil or criminal penalties.

5. Compliance & Enforcement

Compliance is verified through periodic internal audits, automated control testing where feasible, and external assessment as part of the company's overall compliance program. Non-conformities will be tracked through the corrective action process and reported to executive leadership monthly.

6. Review

This policy is reviewed at least annually, or sooner if material changes occur in the business, technology environment, or applicable regulations. The reviewer captures changes in the version history and re-attestation is required when a substantive update is published.

Document control: POL-IS-001 v3.2 · Approved per the version history below.

Version history

4 versions on record

  1. v3.2current
    1/15/2026

    Added requirements for AI-system access controls and clarified subcontractor flow-down.

    Approved by CEO

  2. v3.1obsolete
    1/10/2025

    Annual review; tightened exception process and added MFA mandate.

    Approved by CEO

  3. v3.0obsolete
    2/2/2024

    Major restructure to align with ISO 27001:2022 control set.

    Approved by CEO

  4. v2.4obsolete
    3/15/2023

    Initial publication after first SOC 2 Type II.

    Approved by Board

Status
Published
Version
v3.2
Effective
1/15/2026
Next review
1/15/2027
On track

Attestation status

Completed9/11 (82%)

Cross-references

Related framework controls

ISO 27001 A.5.1SOC 2 CC1.1CMMC AC-1NIST 800-171 3.1.1

Distribution list

Owner: CISO

  • All employees
    Last reminded 4/15/2026
    142
  • Contractors
    Last reminded 4/15/2026
    18
  • Board members
    Last reminded 2/1/2026
    5