Initial commit
This commit is contained in:
Paul Jenkins
107
00-governance/isms-manual.md
Normal file
107
00-governance/isms-manual.md
Normal file
@@ -0,0 +1,107 @@
|
||||
Title: ISMS Manual
|
||||
Document ID: [GOV-ISMS-MANUAL-001]
|
||||
Version: 0.1 Draft
|
||||
Status: Draft
|
||||
Owner: CISO (Paul Jenkins)
|
||||
Approver: CEO (Paul Hague)
|
||||
Classification: Internal
|
||||
Effective date: [DD Month YYYY]
|
||||
Review date: [DD Month YYYY]
|
||||
|
||||
# ISMS Manual
|
||||
|
||||
## Purpose
|
||||
|
||||
This manual describes the structure of BlackDice's ISMS and how its governing documents, operational controls, and review activities fit together. It is intended to help document owners, reviewers, and auditors understand how the ISMS is organised.
|
||||
|
||||
## Scope
|
||||
|
||||
This manual applies to the ISMS documentation set and the management processes used to direct, monitor, and improve information security within the approved ISMS scope.
|
||||
|
||||
## ISMS Overview
|
||||
|
||||
BlackDice operates a technical security business with cloud-native service delivery, containerised workloads, software delivery pipelines, security telemetry handling, and customer assurance obligations. The ISMS is intended to provide a repeatable management framework for those activities without assuming technologies, teams, or organisational structures that have not yet been confirmed.
|
||||
|
||||
## ISMS Objectives
|
||||
|
||||
The ISMS is intended to support BlackDice in:
|
||||
|
||||
- protecting information assets and service integrity
|
||||
- managing risk in a structured and repeatable way
|
||||
- selecting and operating proportionate security controls
|
||||
- meeting contractual, legal, regulatory, and assurance expectations
|
||||
- driving continual improvement through audit, review, and corrective action
|
||||
|
||||
## Document Hierarchy
|
||||
|
||||
The ISMS document set is structured as follows:
|
||||
|
||||
- governance documents define scope, management framework, risk method, control applicability, and document control
|
||||
- policies define management intent and high-level requirements
|
||||
- standards define mandatory implementation requirements
|
||||
- procedures define operational steps and evidence outputs
|
||||
- registers and templates define the records needed to operate and evidence the ISMS
|
||||
- audit and review artefacts support assurance and continual improvement
|
||||
|
||||
## Core ISMS Processes
|
||||
|
||||
The following processes form the core operating cycle of the ISMS:
|
||||
|
||||
1. Define the scope, interested parties, and control framework.
|
||||
2. Identify and assess risks using the approved methodology.
|
||||
3. Select controls and record applicability and treatment decisions.
|
||||
4. Implement policies, standards, and procedures.
|
||||
5. Monitor performance, incidents, exceptions, and control effectiveness.
|
||||
6. Conduct internal audit and management review.
|
||||
7. Track corrective actions and improvement activity.
|
||||
|
||||
## Governance Model
|
||||
|
||||
The governance model should define:
|
||||
|
||||
- who owns the ISMS
|
||||
- who approves policies and significant control decisions
|
||||
- who owns risks, exceptions, and corrective actions
|
||||
- how management review is conducted
|
||||
- how internal audit independence is maintained
|
||||
|
||||
Named committees, boards, and role titles are not assigned in this draft and must be completed during tailoring.
|
||||
|
||||
## Roles and Responsibilities
|
||||
|
||||
- The ISMS owner is accountable for maintaining the ISMS framework.
|
||||
- Document owners are responsible for keeping assigned documents accurate and current.
|
||||
- Control owners are responsible for implementing and operating assigned controls.
|
||||
- Risk owners are responsible for evaluating and treating assigned risks.
|
||||
- Management is responsible for providing direction, support, and review.
|
||||
|
||||
## Control Framework and Applicability
|
||||
|
||||
BlackDice should maintain a Statement of Applicability that records which controls are applicable, how they are implemented, and where justification exists for exclusion. Control selection should reflect the risk profile of cloud-native service delivery, CI/CD, supplier dependencies, customer data handling, and operational monitoring.
|
||||
|
||||
## Document and Record Management
|
||||
|
||||
Controlled documents must use the standard metadata block, version control table, and approved storage location. Records generated by ISMS processes must be retained in a way that supports traceability, review, and audit.
|
||||
|
||||
## Monitoring, Audit, and Review
|
||||
|
||||
The ISMS should be monitored using appropriate measures, including risk status, security events, control exceptions, audit findings, and progress against information security objectives. Internal audit and management review should be conducted at planned intervals, with outputs recorded and tracked to closure.
|
||||
|
||||
## Continual Improvement
|
||||
|
||||
Nonconformities, incidents, audit findings, and management review actions should feed corrective action and improvement activity. Improvements should be prioritised according to risk, impact, and operational feasibility.
|
||||
|
||||
## Related Documents
|
||||
|
||||
- ISMS Scope Statement
|
||||
- Information Security Policy
|
||||
- Risk Assessment and Treatment Methodology
|
||||
- Statement of Applicability Template
|
||||
- Information Security Objectives Template
|
||||
- Document and Records Control Standard
|
||||
|
||||
## Version Control
|
||||
|
||||
| Version | Date | Description of Change | Author |
|
||||
| --- | --- | --- | --- |
|
||||
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|
||||
Reference in New Issue
Block a user