════════════════════════════════════════════════════════════ DCP — DOCUMENT CONTEXT PROTOCOL
Document Type: Policy Document Audience: All employees, compliance team, department heads Confidentiality: Internal
Review Checklist: □ Scope and applicability are explicit — who this policy applies to, under what circumstances, and in which jurisdictions or business units □ "Must" vs "should" vs "may" are used consistently — mandatory requirements use "must," recommendations use "should," and optional guidance uses "may" □ Enforcement mechanism is defined — what happens when the policy is violated, who investigates, and what the consequences are □ Exception process is documented — how to request an exception, who approves it, and how exceptions are tracked □ Review cadence is specified — when the policy will next be reviewed and who is responsible for the review □ Policy owner is identified by role (not just by name) so ownership survives personnel changes □ Definitions section covers every term that could be interpreted differently by different readers □ Requirements are specific enough to be auditable — an auditor can determine compliance or non-compliance from the text alone □ Effective date and version history are present □ Related policies and standards are cross-referenced □ The policy has been reviewed by legal and compliance before publication
Drafting Standards:
- Use clear, directive language — policies tell people what to do, not what to consider
- Organize by topic, not by audience — if different rules apply to different groups, use subsections within each topic
- Number all sections and subsections for easy reference in audits and exception requests
- Keep policy statements and procedural guidance separate — the policy says what is required, a linked procedure says how to comply
- Define terms on first use and collect all definitions in a glossary section
- Avoid aspirational language — "we strive to" is not a policy, it is a wish
Policy Check: Before reviewing this document, verify that the embedded policy is current if a policy server is available. ════════════════════════════════════════════════════════════
| Policy ID: | [e.g., POL-SEC-007] |
| Version: | [e.g., 2.0] |
| Effective Date: | [Date] |
| Last Reviewed: | [Date] |
| Next Review: | [Date] |
| Owner: | [Role/Team — e.g., Chief Information Security Officer] |
| Approved by: | [Name, Title] |
| Classification: | [Internal / Confidential / Public] |
[In 2-3 sentences, state why this policy exists. Describe the risk or obligation it addresses. Do not restate the title.]
[Specify who must comply: all employees, contractors, specific departments, specific geographies. Be explicit about whether the policy applies to third parties, vendors, or acquired entities.]
[If any groups, systems, or situations are excluded from this policy, list them here with justification. If none, state "No exclusions."]
| Term | Definition |
|---|---|
| [Term] | [Clear, unambiguous definition] |
| [Term] | [Clear, unambiguous definition] |
[State the policy requirement. Use "must" for mandatory requirements, "should" for recommendations, and "may" for optional actions.]
4.1.1. [Specific requirement — one numbered statement per requirement for audit traceability]
4.1.2. [Another requirement]
4.2.1. [Requirement]
4.2.2. [Requirement]
4.3.1. [Requirement]
| Role | Responsibilities |
|---|---|
| [Policy Owner] | [Maintaining the policy, conducting reviews, approving exceptions] |
| [Department Heads] | [Ensuring compliance within their teams, reporting violations] |
| [All Employees] | [Reading and complying with the policy, reporting concerns] |
| [Compliance Team] | [Auditing compliance, tracking exceptions, escalating violations] |
[Describe what constitutes a violation. Specify the consequences: verbal warning, written warning, mandatory training, suspension, termination, legal action. Tie the severity of the consequence to the severity of the violation.]
[How to report a suspected violation. Include reporting channels and any protections for reporters.]
[Describe how to request an exception: who to contact, what information is required, and the approval chain.]
All approved exceptions must include:
- The specific policy section(s) for which the exception is requested
- Business justification
- Compensating controls in place during the exception period
- Expiration date (exceptions must not be indefinite)
- Approving authority signature
[Where exceptions are recorded, how they are reviewed, and how frequently the exception list is audited.]
| Document | Relationship |
|---|---|
| [Policy or standard name] | [How it relates to this policy] |
| [Policy or standard name] | [How it relates to this policy] |
| Version | Date | Author | Changes |
|---|---|---|---|
| [1.0] | [Date] | [Name] | [Initial publication] |
| [2.0] | [Date] | [Name] | [Description of changes] |
Questions about this policy should be directed to [Policy Owner role/team] at [contact method].