psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Paul Jenkins
2026-03-26 09:35:22 +00:00
parent 0d73f76688
commit 5eade2d99b
76 changed files with 5512 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
00-governance/isms-scope-statement.md Normal file
View File

@@ -0,0 +1,104 @@
Title: ISMS Scope Statement
Document ID: [GOV-ISMS-SCOPE-001]
Version: 0.1 Draft
Status: Draft
Owner: CISO (Paul Jenkins)
Approver: CEO (Paul Hague)
Classification: Internal
Effective date: [DD Month YYYY]
Review date: [DD Month YYYY]
# ISMS Scope Statement
## Purpose
This document defines the intended scope of BlackDice's Information Security Management System (ISMS). It provides the working boundary for risk management, control selection, governance, and assurance activity.
## Scope
The ISMS is intended to cover the people, processes, information, and technology used to design, build, operate, support, and assure BlackDice services within the approved organisational boundary.
The scope is expected to include, where applicable:
- cloud-native SaaS service delivery activities
- containerised and Kubernetes-based workloads
- software engineering, code review, build, release, and CI/CD activities
- security telemetry processing, monitoring, and operational support
- supplier-supported services and third-party dependencies relevant to service delivery
- customer assurance, information handling, and security governance activities
## In-Scope Organisational Activities
The following activity groups should be treated as in scope unless explicitly excluded by approved scope decisions:
- product and platform engineering
- production operations and service support
- security operations and incident handling
- corporate functions handling in-scope information assets
- supplier management for material service providers
- internal governance, audit, and management review activities
## In-Scope Assets and Information
In-scope assets are expected to include:
- information used to operate, secure, or support BlackDice services
- source code, build artefacts, and deployment configurations
- cloud infrastructure, Kubernetes clusters, and supporting management planes
- endpoints and collaboration systems used to access in-scope information
- records generated by the ISMS, including risk, incident, exception, and audit records
## Interested Parties and Interfaces
The ISMS should take account of the needs and expectations of relevant interested parties, including:
- BlackDice personnel and contractors
- customers and prospective customers
- key suppliers and service providers
- regulators and supervisory bodies where applicable
- external auditors and assurance reviewers
Interfaces with customer-managed or operator-hosted environments must be defined during tailoring so that control responsibilities are clear for SaaS and operator-hosted deployment patterns.
## Scope Boundaries and Exclusions
Any exclusions from scope must be explicitly documented, justified, reviewed for risk impact, and approved by [Approval Authority]. Exclusions must not undermine the ability of the ISMS to address material information security risks associated with BlackDice's operating model.
Current exclusions:
- [No exclusions confirmed]
## Assumptions and Constraints
- Legal, contractual, and regulatory obligations remain subject to confirmation and ongoing review.
- Roles, system names, and ownership assignments will be completed during tailoring.
- Shared-responsibility boundaries with customers and suppliers may vary by service model and must be documented where relevant.
## Roles and Responsibilities
- The ISMS owner must maintain this scope statement.
- Process and system owners must identify assets and activities that fall within the approved scope.
- Management must review proposed scope changes where business, technology, or supplier arrangements materially change.
## Monitoring and Review
This scope statement should be reviewed at least annually and when significant changes occur, including:
- new products or service lines
- material changes to hosting or deployment models
- mergers, acquisitions, or organisational restructuring
- major supplier changes
- significant regulatory or contractual changes
## Related Documents
- Information Security Policy
- ISMS Manual
- Risk Assessment and Treatment Methodology
- Statement of Applicability Template
## Version Control
| Version | Date | Description of Change | Author |
| --- | --- | --- | --- |
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |