IT & Information Security Policies

A comprehensive IT security framework typically includes an information security policy (the overarching framework), access control policy, asset management and classification policy, operations security policy, cryptography policy, physical security policy, IT incident response policy, human resource security policy (covering onboarding, access provisioning, and exit procedures), IT risk management policy, and a business continuity and disaster recovery plan. The specific policies required depend on your industry, the sensitivity of the data you handle, and the regulatory frameworks that apply. We help organisations build IT security policy suites that satisfy regulatory requirements, client contractual obligations, and audit expectations.

The DPDP Act requires Data Fiduciaries to implement reasonable security safeguards to protect personal data. What constitutes reasonable security is likely to be informed by standards such as ISO 27001 and the industry’s reasonable practices. The IT Act’s Section 43A (which remains in force) and the SPDI Rules require body corporates that handle sensitive personal data to implement and maintain reasonable security practices and procedures, and specifically reference ISO 27001 as an accepted standard. Many industries have additional requirements, such as RBI’s cybersecurity framework for banks and financial institutions, and CERT-In’s incident reporting obligations. Beyond legal requirements, enterprise clients, investors, and auditors increasingly expect documented IT security policies as a condition of doing business.

A business continuity plan (BCP) ensures that critical business functions continue during and after a disruption, whether a cyberattack, natural disaster, or system failure. A disaster recovery plan (DRP) specifically addresses the restoration of IT systems and data. Together, they cover risk identification, recovery time and recovery point objectives, backup procedures, communication protocols, alternate operating arrangements, and testing schedules. Regulators, particularly in financial services, increasingly require documented BCPs and DRPs. We draft these plans to be operationally actionable rather than just compliance documents.