Initial commit

2026-03-26 09:35:22 +00:00
parent 0d73f76688
commit 5eade2d99b
76 changed files with 5512 additions and 0 deletions
--- a/01-policies/access-control-policy.md
+++ b/01-policies/access-control-policy.md
@@ -0,0 +1,77 @@
+Title: Access Control Policy
+Document ID: [POL-ACCESS-001]
+Version: 0.2 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Access Control Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level requirements for controlling access to information, systems, services, and administrative interfaces.
+
+## Scope
+
+This policy applies to personnel, contractors, service accounts, systems, cloud platforms, Kubernetes environments, CI/CD systems, endpoints, and third parties within the ISMS scope.
+
+## Objectives
+
+- limit access to authorised users and approved system identities
+- enforce least privilege and need-to-know principles
+- reduce the risk of unauthorised access, misuse, and privilege escalation
+
+## Principles / Policy Statements
+
+Access to information and systems must be granted only where there is an approved business need.
+
+Privileges must be assigned using least privilege and separated where appropriate to reduce the risk of unauthorised or unsafe activity.
+
+Authentication methods must be appropriate to the sensitivity and exposure of the system or service being accessed.
+
+BlackDice should reduce unnecessary reliance on standalone passwords by favouring centrally managed identity, single sign-on, and stronger authentication approaches where practical.
+
+Multi-factor authentication must be used for privileged, remote, cloud administrative, internet-facing, and other high-risk access unless a formally approved exception exists. Where technically available, BlackDice should enable multi-factor authentication more broadly across workforce access.
+
+Default credentials must not remain in use on production or operational systems. Any default password identified on an in-scope system or service must be changed before use.
+
+Privileged access to cloud management planes, production systems, Kubernetes administration, and CI/CD tooling must be subject to stronger control and increased oversight.
+
+Access rights must be reviewed at planned intervals and when roles, responsibilities, or employment status change.
+
+Shared accounts should be avoided unless formally justified, controlled, and traceable.
+
+Where passwords remain necessary, BlackDice should support secure password management practices and avoid relying primarily on complexity rules or routine password expiry as the main control measure.
+
+## Roles and Responsibilities
+
+- [Role] must define and oversee access control requirements.
+- Managers must approve access according to business need.
+- System owners must ensure access models are suitable for their systems.
+- Users must protect their credentials and use access only for authorised purposes.
+
+## Compliance / Exceptions
+
+Exceptions must be documented, risk-assessed, approved, and reviewed through the exception management process.
+
+## Monitoring and Review
+
+Compliance should be monitored through access reviews, joiner-mover-leaver activities, incident handling, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- Identity and Authentication Standard
+- Secrets Management Standard
+- Joiner Mover Leaver Procedure
+- Access Review Procedure
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
+| 0.2 Draft | [DD Month YYYY] | Expanded to include explicit MFA, default credential, SSO, and password management principles. | ChatGPT |
--- a/01-policies/asset-management-and-acceptable-use-policy.md
+++ b/01-policies/asset-management-and-acceptable-use-policy.md
@@ -0,0 +1,64 @@
+Title: Asset Management and Acceptable Use Policy
+Document ID: [POL-ASSET-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Asset Management and Acceptable Use Policy
+
+## Purpose
+
+This policy defines BlackDice's expectations for identifying, managing, and using information assets and technology resources appropriately.
+
+## Scope
+
+This policy applies to information, software, cloud resources, endpoints, repositories, collaboration platforms, removable media, and other assets used within the ISMS scope.
+
+## Objectives
+
+- maintain accountability for important assets
+- ensure assets are used appropriately and securely
+- reduce misuse, loss, and uncontrolled exposure of business information
+
+## Principles / Policy Statements
+
+In-scope information assets and supporting technology assets must be identified and assigned an owner.
+
+Assets must be handled in accordance with their classification, business value, and criticality.
+
+BlackDice technology resources must be used only for authorised business purposes unless limited personal use is expressly permitted by [Policy or Role].
+
+Users must not use company assets to bypass security controls, introduce unapproved software, or perform unsafe activity that could affect cloud services, customer data, or corporate systems.
+
+Where assets support cloud-native operations, source code, build artefacts, infrastructure definitions, and deployment configurations must be treated as controlled assets.
+
+## Roles and Responsibilities
+
+- Asset owners must ensure assets are identified, classified, and appropriately protected.
+- Users must use assets responsibly and report loss, misuse, or security concerns.
+- [Role] must oversee the asset management framework.
+
+## Compliance / Exceptions
+
+Non-compliant use may lead to removal of access, investigation, and corrective action. Exceptions must be approved through the defined process.
+
+## Monitoring and Review
+
+This policy should be reviewed alongside asset inventory accuracy, acceptable use issues, incidents, and audit findings.
+
+## Related Documents
+
+- Information Security Policy
+- Data Classification and Handling Policy
+- Asset Register Template
+- Remote Working Policy
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/backup-and-recovery-policy.md
+++ b/01-policies/backup-and-recovery-policy.md
@@ -0,0 +1,64 @@
+Title: Backup and Recovery Policy
+Document ID: [POL-BACKUP-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Backup and Recovery Policy
+
+## Purpose
+
+This policy defines BlackDice's expectations for protecting data and service recoverability through backup and recovery arrangements.
+
+## Scope
+
+This policy applies to in-scope data, configurations, system components, supporting platforms, and recovery information relevant to BlackDice services and business operations.
+
+## Objectives
+
+- maintain recoverability of important data and service components
+- reduce the impact of data loss, corruption, or service disruption
+- ensure recovery arrangements are defined and tested
+
+## Principles / Policy Statements
+
+Backup and recovery arrangements must be defined according to business criticality, recovery needs, and risk.
+
+Backups must be protected against unauthorised access, tampering, loss, and inappropriate deletion.
+
+Cloud-native and Kubernetes-based services must consider recovery of data, configurations, infrastructure definitions, and dependencies needed to restore service.
+
+Recovery requirements should reflect service commitments, business priorities, and operational constraints.
+
+Backup restoration capability must be tested at planned intervals.
+
+## Roles and Responsibilities
+
+- [Role] must define backup and recovery expectations.
+- System owners must ensure required backup and recovery arrangements exist.
+- Operational teams must perform and evidence testing and restoration activity as required.
+
+## Compliance / Exceptions
+
+Any gap in backup coverage or recovery capability must be documented, assessed for risk, and addressed through remediation or approved exception.
+
+## Monitoring and Review
+
+This policy should be reviewed through backup testing, recovery exercises, incidents, change review, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- Backup Testing Procedure
+- Business Continuity and Disaster Recovery Policy
+- Data Retention Standard
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/business-continuity-and-disaster-recovery-policy.md
+++ b/01-policies/business-continuity-and-disaster-recovery-policy.md
@@ -0,0 +1,64 @@
+Title: Business Continuity and Disaster Recovery Policy
+Document ID: [POL-BCDR-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Business Continuity and Disaster Recovery Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level requirements for maintaining continuity of important activities and recovering from disruptive events.
+
+## Scope
+
+This policy applies to in-scope business processes, technology services, supporting suppliers, information assets, and recovery arrangements relevant to BlackDice operations.
+
+## Objectives
+
+- reduce the impact of disruptive events on critical services and operations
+- define recovery priorities and continuity expectations
+- support coordinated response, recovery, and testing
+
+## Principles / Policy Statements
+
+BlackDice must identify critical activities, dependencies, and recovery requirements relevant to in-scope services and business operations.
+
+Continuity and disaster recovery arrangements must consider cloud platform dependencies, operator-hosted patterns where applicable, critical suppliers, and supporting internal processes.
+
+Recovery strategies should be appropriate to service importance, data criticality, and customer commitments.
+
+Plans must be maintained, accessible to authorised responders, and reviewed when material change occurs.
+
+Continuity and disaster recovery arrangements must be tested at planned intervals.
+
+## Roles and Responsibilities
+
+- [Role] must oversee continuity and disaster recovery policy requirements.
+- Process and system owners must define recovery needs and supporting arrangements.
+- Management must support prioritisation, testing, and review.
+
+## Compliance / Exceptions
+
+Gaps in continuity or recovery arrangements must be tracked and addressed through remediation or approved exception.
+
+## Monitoring and Review
+
+This policy should be reviewed through exercises, incidents, service changes, supplier review, and management review.
+
+## Related Documents
+
+- Information Security Policy
+- Backup and Recovery Policy
+- Disaster Recovery Testing Procedure
+- Risk Assessment and Treatment Methodology
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/change-management-policy.md
+++ b/01-policies/change-management-policy.md
@@ -0,0 +1,65 @@
+Title: Change Management Policy
+Document ID: [POL-CHANGE-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Change Management Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level requirements for managing changes to systems, services, infrastructure, configurations, and processes that may affect security or service integrity.
+
+## Scope
+
+This policy applies to production systems, cloud infrastructure, Kubernetes environments, software releases, CI/CD pipelines, security tooling, and other in-scope changes.
+
+## Objectives
+
+- ensure changes are assessed, authorised, and traceable
+- reduce the risk of unintended security or service impact
+- support safe and repeatable operational change
+
+## Principles / Policy Statements
+
+Changes that may affect information security, resilience, compliance, or customer service must be subject to defined assessment and approval.
+
+The level of review and approval must be proportionate to the risk and impact of the change.
+
+Emergency changes may be implemented where necessary to reduce immediate risk or restore service, but they must be documented and reviewed retrospectively.
+
+Changes to production infrastructure, identity systems, network controls, security tooling, and CI/CD workflows must receive appropriate scrutiny.
+
+Change records must provide enough information to support accountability, rollback planning, and auditability.
+
+## Roles and Responsibilities
+
+- [Role] must define change management expectations.
+- Change owners must ensure changes are documented and approved appropriately.
+- Reviewers and approvers must assess impact, risk, and readiness.
+- Operational teams must implement changes in line with approved controls.
+
+## Compliance / Exceptions
+
+Unauthorised changes are not permitted. Exceptions must be documented and approved through the defined process.
+
+## Monitoring and Review
+
+This policy should be reviewed through change metrics, incidents, failed changes, exceptions, and audit findings.
+
+## Related Documents
+
+- Information Security Policy
+- Secure Development Policy
+- Change Approval Procedure
+- Production Deployment Procedure
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/cloud-security-policy.md
+++ b/01-policies/cloud-security-policy.md
@@ -0,0 +1,64 @@
+Title: Cloud Security Policy
+Document ID: [POL-CLOUD-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Cloud Security Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level requirements for securing cloud services and cloud-hosted workloads used to deliver and support its business operations.
+
+## Scope
+
+This policy applies to cloud platforms, managed cloud services, cloud administration functions, infrastructure as code, and cloud-hosted workloads within the ISMS scope.
+
+## Objectives
+
+- maintain secure and controlled use of cloud services
+- reduce risk arising from misconfiguration, excessive privilege, and unmanaged change
+- support resilient and auditable cloud-native operations
+
+## Principles / Policy Statements
+
+Cloud services must be selected, configured, and operated according to approved security requirements and risk assessments.
+
+Responsibilities between BlackDice and cloud providers must be understood and reflected in control design.
+
+Production cloud environments, management planes, and supporting automation must be subject to stronger access, change, and monitoring controls.
+
+Security requirements for cloud-native workloads must consider identity, networking, secrets, logging, configuration management, and resilience.
+
+Material cloud architecture changes must be assessed for security impact before implementation.
+
+## Roles and Responsibilities
+
+- [Role] must define cloud security expectations and oversight.
+- Platform and service owners must ensure secure operation of their cloud resources.
+- Engineering and operations teams must implement approved controls in cloud environments.
+
+## Compliance / Exceptions
+
+Cloud control gaps or deviations from baseline requirements must be documented and addressed through remediation or approved exception.
+
+## Monitoring and Review
+
+This policy should be reviewed through configuration assurance, access review, incidents, supplier oversight, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- Kubernetes Security Standard
+- Secure Configuration Standard
+- Network and Infrastructure Security Policy
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/cryptography-and-key-management-policy.md
+++ b/01-policies/cryptography-and-key-management-policy.md
@@ -0,0 +1,64 @@
+Title: Cryptography and Key Management Policy
+Document ID: [POL-CRYPTO-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Cryptography and Key Management Policy
+
+## Purpose
+
+This policy defines BlackDice's expectations for the use of cryptographic controls and the secure management of keys, secrets, and certificates.
+
+## Scope
+
+This policy applies to cryptographic protections used for data at rest, data in transit, identity material, secrets, certificates, and platform integrations within the ISMS scope.
+
+## Objectives
+
+- protect sensitive information using appropriate cryptographic controls
+- reduce the risk of compromise through weak or poorly managed keys and secrets
+- support secure cloud-native and software delivery operations
+
+## Principles / Policy Statements
+
+Cryptographic controls must be selected based on business need, risk, and applicable legal or contractual requirements.
+
+Sensitive information in transit must be protected using approved secure protocols.
+
+Secrets, keys, tokens, and certificates must be generated, stored, rotated, distributed, and revoked using controlled processes.
+
+Hard-coded secrets in source code, CI/CD pipelines, container images, or infrastructure definitions must be prohibited unless explicitly justified and approved.
+
+Access to key and secret management functions must be limited to authorised personnel and systems.
+
+## Roles and Responsibilities
+
+- [Role] must define approved cryptographic requirements.
+- System owners must ensure their services use appropriate protections.
+- Engineering and operations teams must manage secrets and certificates through approved methods.
+
+## Compliance / Exceptions
+
+Any deviation from approved cryptographic or key management practice must be documented and approved as an exception.
+
+## Monitoring and Review
+
+This policy should be reviewed alongside secrets management, certificate issues, incident findings, and control assurance activity.
+
+## Related Documents
+
+- Information Security Policy
+- Secrets Management Standard
+- Secure Configuration Standard
+- Secure Development Policy
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/data-classification-and-handling-policy.md
+++ b/01-policies/data-classification-and-handling-policy.md
@@ -0,0 +1,64 @@
+Title: Data Classification and Handling Policy
+Document ID: [POL-DATA-CLASS-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Data Classification and Handling Policy
+
+## Purpose
+
+This policy defines how BlackDice information must be classified, labelled where appropriate, handled, shared, stored, retained, and disposed of.
+
+## Scope
+
+This policy applies to all information created, received, processed, stored, or transmitted within the ISMS scope, regardless of format or location.
+
+## Objectives
+
+- ensure information receives protection appropriate to sensitivity and business need
+- support consistent handling decisions across teams and systems
+- reduce the risk of inappropriate disclosure, alteration, or loss
+
+## Principles / Policy Statements
+
+Information must be classified according to its sensitivity, business impact, legal obligations, and contractual requirements.
+
+Handling requirements must align with the assigned classification and apply to storage, access, transfer, retention, and disposal.
+
+Sensitive information must be protected when used in cloud services, engineering workflows, support processes, and customer assurance activities.
+
+Data exports, logs, telemetry, and support artefacts must be reviewed to avoid unnecessary exposure of sensitive or regulated information.
+
+Information shared with suppliers, customers, or operator-hosted environments must be subject to defined handling requirements and appropriate controls.
+
+## Roles and Responsibilities
+
+- Information owners must assign classifications and handling requirements where appropriate.
+- Users must handle information according to classification and approved process.
+- [Role] must maintain the classification framework.
+
+## Compliance / Exceptions
+
+Exceptions to standard handling requirements must be formally approved where justified by business need and documented risk.
+
+## Monitoring and Review
+
+This policy should be monitored through incident trends, transfer controls, retention practices, supplier review, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- Information Transfer Policy
+- Privacy and Data Protection Policy
+- Data Retention Standard
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/endpoint-security-policy.md
+++ b/01-policies/endpoint-security-policy.md
@@ -0,0 +1,64 @@
+Title: Endpoint Security Policy
+Document ID: [POL-ENDPOINT-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Endpoint Security Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level requirements for securing endpoints used to access company systems and information.
+
+## Scope
+
+This policy applies to laptops, workstations, mobile devices, privileged administration devices, and other endpoints used for in-scope business activity.
+
+## Objectives
+
+- reduce endpoint-related risk to systems and information
+- support secure access to cloud services, code repositories, and administrative interfaces
+- ensure baseline protections are applied consistently
+
+## Principles / Policy Statements
+
+Endpoints used to access in-scope systems or information must be configured and managed according to approved security requirements.
+
+Security baseline controls should address system hardening, authentication, encryption, patching, malware protection, and device lock requirements as appropriate.
+
+Endpoints used for privileged access to production platforms, cloud administration, or customer-sensitive information should receive stronger control and monitoring.
+
+Local storage of sensitive information should be minimised and protected according to classification and business need.
+
+Lost, stolen, or compromised endpoints must be reported promptly.
+
+## Roles and Responsibilities
+
+- [Role] must define endpoint security expectations.
+- Device owners and users must protect endpoints and report security issues promptly.
+- Administrators must maintain required endpoint controls where they are responsible for managed devices.
+
+## Compliance / Exceptions
+
+Use of unmanaged or non-compliant endpoints for in-scope access must be prohibited unless formally approved and risk-assessed.
+
+## Monitoring and Review
+
+This policy should be reviewed through endpoint assurance activity, incidents, vulnerability management, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- Remote Working Policy
+- Access Control Policy
+- Vulnerability and Patch Management Policy
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/human-resources-security-policy.md
+++ b/01-policies/human-resources-security-policy.md
@@ -0,0 +1,64 @@
+Title: Human Resources Security Policy
+Document ID: [POL-HRSEC-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Human Resources Security Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level requirements for managing information security responsibilities throughout the personnel lifecycle.
+
+## Scope
+
+This policy applies to employees, contractors, temporary workers, and other personnel with access to in-scope systems, information, or facilities.
+
+## Objectives
+
+- ensure personnel understand security responsibilities
+- reduce risk during onboarding, role change, and offboarding
+- support confidentiality, acceptable use, and awareness expectations
+
+## Principles / Policy Statements
+
+Personnel with access to in-scope information or systems must be subject to appropriate screening, onboarding, confidentiality, awareness, and offboarding controls where lawful and appropriate.
+
+Access, responsibilities, and training requirements must reflect the role and level of privilege granted.
+
+Joiner, mover, and leaver events must be managed promptly to reduce the risk of inappropriate access retention.
+
+Personnel must understand how to report security incidents, policy concerns, and suspected weaknesses.
+
+Additional measures may be required for privileged roles, security-sensitive functions, or access to customer-sensitive information.
+
+## Roles and Responsibilities
+
+- [Role] must define HR security expectations with relevant business stakeholders.
+- Managers must ensure role changes and departures are communicated promptly.
+- Personnel must comply with security obligations and complete required awareness activities.
+
+## Compliance / Exceptions
+
+Any departure from required lifecycle controls must be documented and approved according to risk.
+
+## Monitoring and Review
+
+This policy should be reviewed through access review, training records, incidents, audit, and management review.
+
+## Related Documents
+
+- Information Security Policy
+- Joiner Mover Leaver Procedure
+- Access Control Policy
+- Training and Awareness Record Template
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/incident-response-policy.md
+++ b/01-policies/incident-response-policy.md
@@ -0,0 +1,65 @@
+Title: Incident Response Policy
+Document ID: [POL-INCIDENT-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Incident Response Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level requirements for preparing for, reporting, assessing, responding to, and learning from information security incidents.
+
+## Scope
+
+This policy applies to suspected or confirmed security incidents affecting in-scope people, systems, services, suppliers, information, or customers.
+
+## Objectives
+
+- ensure incidents are identified and managed consistently
+- reduce harm through timely containment and response
+- support communication, reporting, and post-incident improvement
+
+## Principles / Policy Statements
+
+Security incidents and suspected security weaknesses must be reported promptly through approved channels.
+
+Incidents must be assessed to determine severity, impact, required response, and escalation needs.
+
+Response arrangements must consider BlackDice's cloud-native services, production environments, telemetry sources, customer impact, and supplier dependencies.
+
+Roles for containment, investigation, communication, and decision-making must be defined and exercised.
+
+Material incidents must result in documented lessons learned and corrective action where appropriate.
+
+## Roles and Responsibilities
+
+- [Role] must oversee incident response arrangements.
+- Personnel must report incidents and cooperate with response activity.
+- Service and system owners must support containment and recovery for their environments.
+- Management must support escalation, communication, and review.
+
+## Compliance / Exceptions
+
+Any deviation from required incident handling expectations must be documented and approved where practicable. Emergency actions taken during incident response must be recorded retrospectively.
+
+## Monitoring and Review
+
+This policy should be reviewed through incident trends, exercises, post-incident reviews, audit, and management review.
+
+## Related Documents
+
+- Information Security Policy
+- Security Incident Handling Procedure
+- Breach Notification Procedure
+- Corrective Action Procedure
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/information-transfer-policy.md
+++ b/01-policies/information-transfer-policy.md
@@ -0,0 +1,64 @@
+Title: Information Transfer Policy
+Document ID: [POL-TRANSFER-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Information Transfer Policy
+
+## Purpose
+
+This policy defines BlackDice's requirements for transferring information securely between internal teams, customers, suppliers, and other authorised parties.
+
+## Scope
+
+This policy applies to electronic and physical information transfer involving in-scope information, including customer communications, support processes, supplier exchanges, and operational data sharing.
+
+## Objectives
+
+- protect information during transfer against unauthorised access or loss
+- ensure transfers are appropriate to classification and business need
+- reduce risk in cross-organisational and multi-jurisdiction exchanges
+
+## Principles / Policy Statements
+
+Information must only be transferred where there is a legitimate business need and an approved transfer method appropriate to the information's sensitivity.
+
+Transfer mechanisms for sensitive information must include suitable protections such as access restriction, encryption, integrity assurance, and recipient validation where appropriate.
+
+Operational data shared with suppliers, customers, or operator-hosted environments must be limited to what is necessary and handled according to agreed requirements.
+
+Transfers that may involve legal, regulatory, or contractual obligations must be assessed and approved through the relevant process.
+
+Unauthorised use of personal email, consumer file-sharing, or other unapproved channels for sensitive business information must be prohibited.
+
+## Roles and Responsibilities
+
+- [Role] must define information transfer expectations.
+- Information owners must approve transfer arrangements where required.
+- Users must use approved methods and verify recipients before sharing sensitive information.
+
+## Compliance / Exceptions
+
+Exceptions to standard transfer controls must be documented, justified, and approved based on risk and business need.
+
+## Monitoring and Review
+
+This policy should be reviewed through incident analysis, supplier review, privacy review, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- Data Classification and Handling Policy
+- Privacy and Data Protection Policy
+- Supplier Security Policy
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/logging-and-monitoring-policy.md
+++ b/01-policies/logging-and-monitoring-policy.md
@@ -0,0 +1,64 @@
+Title: Logging and Monitoring Policy
+Document ID: [POL-LOGGING-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Logging and Monitoring Policy
+
+## Purpose
+
+This policy defines BlackDice's expectations for generating, protecting, reviewing, and using logs and monitoring data to support security and operational oversight.
+
+## Scope
+
+This policy applies to in-scope applications, cloud services, Kubernetes environments, endpoints, identity systems, CI/CD platforms, and security monitoring processes.
+
+## Objectives
+
+- support detection of security events and operational issues
+- provide evidence for investigation, review, and assurance
+- protect monitoring data against unauthorised access or tampering
+
+## Principles / Policy Statements
+
+Logging and monitoring must be proportionate to the risk and criticality of the relevant service or system.
+
+Security-relevant activities should be logged where feasible, including authentication events, privileged actions, administrative changes, and significant production or security events.
+
+Logging arrangements for cloud-native and containerised services must consider distributed architectures, ephemeral workloads, and centralised analysis needs.
+
+Logs and telemetry that may contain sensitive information must be handled and retained according to approved requirements.
+
+Alerting and monitoring processes must support timely review and escalation of material issues.
+
+## Roles and Responsibilities
+
+- [Role] must define monitoring expectations and oversight arrangements.
+- System owners must ensure adequate logging exists for their services.
+- Operational teams must review alerts and respond through defined processes.
+
+## Compliance / Exceptions
+
+Gaps in required logging or monitoring coverage must be tracked, risk-assessed, and remediated or formally accepted.
+
+## Monitoring and Review
+
+This policy should be reviewed through control testing, incident handling, alert tuning, audit, and management review.
+
+## Related Documents
+
+- Information Security Policy
+- Logging and Alerting Standard
+- Security Incident Handling Procedure
+- Incident Register Template
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/network-and-infrastructure-security-policy.md
+++ b/01-policies/network-and-infrastructure-security-policy.md
@@ -0,0 +1,64 @@
+Title: Network and Infrastructure Security Policy
+Document ID: [POL-NETINFRA-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Network and Infrastructure Security Policy
+
+## Purpose
+
+This policy defines BlackDice's expectations for securing networks, infrastructure components, and supporting platform services.
+
+## Scope
+
+This policy applies to cloud networking, connectivity, infrastructure services, administrative access paths, supporting compute resources, and related management components within the ISMS scope.
+
+## Objectives
+
+- protect infrastructure and network pathways from unauthorised access or misuse
+- support segmentation, resilience, and controlled administration
+- reduce exposure from insecure configurations and unmanaged services
+
+## Principles / Policy Statements
+
+Infrastructure and network services must be designed and operated according to approved security requirements.
+
+Administrative interfaces and management paths must be restricted, monitored, and protected with stronger controls.
+
+Network exposure should be minimised according to business need, and externally accessible services must receive appropriate protection and review.
+
+Infrastructure security arrangements must consider cloud-native service patterns, container orchestration dependencies, and operator-facing deployment requirements where applicable.
+
+Changes to network and infrastructure controls must be subject to defined assessment and approval.
+
+## Roles and Responsibilities
+
+- [Role] must define infrastructure and network security expectations.
+- Platform and infrastructure owners must maintain secure configurations and access controls.
+- Operational teams must monitor and manage infrastructure risks.
+
+## Compliance / Exceptions
+
+Exceptions must be documented and approved where baseline infrastructure or network requirements cannot be met.
+
+## Monitoring and Review
+
+This policy should be reviewed through configuration reviews, vulnerability management, incident analysis, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- Cloud Security Policy
+- Secure Configuration Standard
+- Change Management Policy
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/physical-security-policy.md
+++ b/01-policies/physical-security-policy.md
@@ -0,0 +1,64 @@
+Title: Physical Security Policy
+Document ID: [POL-PHYSICAL-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Physical Security Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level requirements for protecting physical environments, assets, and information from unauthorised physical access, damage, or interference.
+
+## Scope
+
+This policy applies to offices, shared workspaces, storage areas, endpoint handling, and any other physical locations or facilities used for in-scope business activity. It also applies, where relevant, to third-party facilities that support in-scope operations.
+
+## Objectives
+
+- reduce risk arising from unauthorised physical access or asset loss
+- protect equipment and information used in business operations
+- support secure working across office, remote, and supplier-hosted environments
+
+## Principles / Policy Statements
+
+Physical access to locations handling sensitive information or important technology assets must be controlled according to risk and business need.
+
+Equipment and media containing sensitive information must be protected from theft, loss, damage, or unauthorised use.
+
+BlackDice must consider physical risks associated with office environments, remote working, shipped equipment, and any third-party hosting or operational facilities relevant to in-scope services.
+
+Clear desk, screen protection, visitor control, and secure disposal practices should be applied where appropriate to the working environment and information handled.
+
+Physical security responsibilities for supplier or cloud-hosted facilities must be understood as part of supplier and shared-responsibility arrangements.
+
+## Roles and Responsibilities
+
+- [Role] must define physical security expectations.
+- Location and asset owners must apply physical protections appropriate to their environments.
+- Personnel must protect assets and information from avoidable physical exposure.
+
+## Compliance / Exceptions
+
+Exceptions to required physical security measures must be documented and approved according to risk.
+
+## Monitoring and Review
+
+This policy should be reviewed through incidents, asset issues, supplier assurance, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- Remote Working Policy
+- Asset Management and Acceptable Use Policy
+- Supplier Security Policy
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/privacy-and-data-protection-policy.md
+++ b/01-policies/privacy-and-data-protection-policy.md
@@ -0,0 +1,64 @@
+Title: Privacy and Data Protection Policy
+Document ID: [POL-PRIVACY-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Privacy and Data Protection Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level approach to protecting personal data and supporting privacy obligations in the context of its ISMS.
+
+## Scope
+
+This policy applies to personal data processed within the ISMS scope, including data handled in business operations, customer service delivery, supplier relationships, and internal administration.
+
+## Objectives
+
+- support lawful, fair, and appropriate handling of personal data
+- reduce the risk of privacy harm, data misuse, and regulatory issue
+- ensure privacy considerations are reflected in security and operational practice
+
+## Principles / Policy Statements
+
+Personal data must be handled in accordance with applicable legal, regulatory, and contractual requirements.
+
+Collection, access, use, sharing, retention, and disposal of personal data must be limited to legitimate and authorised purposes.
+
+Privacy and security considerations must be considered when designing or changing services, processes, and supplier arrangements that may affect personal data.
+
+Where BlackDice operates across multiple jurisdictions or customer environments, applicable privacy obligations and transfer considerations must be identified and managed.
+
+Potential personal data breaches must be escalated promptly for assessment and response.
+
+## Roles and Responsibilities
+
+- [Role] must oversee privacy and data protection requirements relevant to the ISMS.
+- Process and system owners must identify where personal data is handled and apply appropriate controls.
+- Personnel must handle personal data only for authorised purposes and report concerns promptly.
+
+## Compliance / Exceptions
+
+No exception may override applicable legal obligations. Any control deviation must be reviewed with appropriate stakeholders and approved where lawful and justified.
+
+## Monitoring and Review
+
+This policy should be reviewed through breach handling, supplier review, risk assessment, legal change monitoring, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- Data Classification and Handling Policy
+- Information Transfer Policy
+- Breach Notification Procedure
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/records-retention-and-disposal-policy.md
+++ b/01-policies/records-retention-and-disposal-policy.md
@@ -0,0 +1,64 @@
+Title: Records Retention and Disposal Policy
+Document ID: [POL-RECORDS-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Records Retention and Disposal Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level requirements for retaining and disposing of business and ISMS records in a controlled manner.
+
+## Scope
+
+This policy applies to records created or maintained within the ISMS scope, including governance records, risk records, incident records, audit outputs, supplier records, and supporting operational evidence.
+
+## Objectives
+
+- retain records for as long as required by business, legal, contractual, and assurance needs
+- dispose of records securely when retention is no longer required
+- support traceability, evidence, and defensible record handling
+
+## Principles / Policy Statements
+
+Records must be retained according to defined retention requirements that reflect legal, regulatory, contractual, operational, and assurance needs.
+
+Records must remain accessible, accurate, and protected for the duration of their retention period.
+
+Disposal of records must be controlled and appropriate to the sensitivity of the information involved.
+
+ISMS records such as risks, incidents, audit findings, management reviews, and exceptions must be retained in a way that supports oversight and auditability.
+
+Where operational tooling is used as the system of record, retention and disposal arrangements must be understood and controlled.
+
+## Roles and Responsibilities
+
+- [Role] must define retention and disposal expectations.
+- Record owners must ensure records are retained and disposed of appropriately.
+- System owners must support retention controls where records are stored in business systems.
+
+## Compliance / Exceptions
+
+Any exception to approved retention or disposal requirements must be documented and approved by the relevant authority.
+
+## Monitoring and Review
+
+This policy should be reviewed through record sampling, legal change monitoring, audit, and management review.
+
+## Related Documents
+
+- Information Security Policy
+- Document and Records Control Standard
+- Data Retention Standard
+- Legal and Regulatory Obligations Register Template
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/remote-working-policy.md
+++ b/01-policies/remote-working-policy.md
@@ -0,0 +1,64 @@
+Title: Remote Working Policy
+Document ID: [POL-REMOTE-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Remote Working Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level requirements for secure remote and hybrid working.
+
+## Scope
+
+This policy applies to personnel and contractors working remotely or outside controlled office locations while accessing in-scope systems, information, or services.
+
+## Objectives
+
+- reduce the risk of compromise associated with remote access and off-site working
+- support secure access to cloud platforms, code repositories, and business systems
+- protect information handled outside controlled premises
+
+## Principles / Policy Statements
+
+Remote working arrangements must use approved access methods and appropriate endpoint security controls.
+
+Personnel working remotely must take reasonable steps to protect devices, credentials, and information from unauthorised access, observation, theft, or loss.
+
+Use of public or shared environments must be managed carefully, particularly where sensitive information, privileged access, or customer-related work is involved.
+
+Remote administration of production systems, cloud environments, and CI/CD platforms must be subject to stronger control and monitoring.
+
+Local printing, storage, or transfer of sensitive information should be minimised and controlled.
+
+## Roles and Responsibilities
+
+- [Role] must define remote working security expectations.
+- Managers must ensure remote workers understand their obligations.
+- Remote workers must follow approved security practices and report issues promptly.
+
+## Compliance / Exceptions
+
+Exceptions to remote working requirements must be documented and approved based on risk and business need.
+
+## Monitoring and Review
+
+This policy should be reviewed through endpoint assurance, access review, incident handling, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- Endpoint Security Policy
+- Access Control Policy
+- Asset Management and Acceptable Use Policy
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/secure-development-policy.md
+++ b/01-policies/secure-development-policy.md
@@ -0,0 +1,64 @@
+Title: Secure Development Policy
+Document ID: [POL-SECDEV-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Secure Development Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level requirements for integrating security into software design, development, testing, and release activities.
+
+## Scope
+
+This policy applies to source code, infrastructure as code, build pipelines, code review, deployment workflows, and related engineering activities within the ISMS scope.
+
+## Objectives
+
+- reduce security defects introduced during development
+- ensure security is considered throughout the software lifecycle
+- support safe and repeatable change in cloud-native environments
+
+## Principles / Policy Statements
+
+Security requirements must be considered during design, development, testing, and release planning.
+
+Changes to source code, application configuration, infrastructure definitions, and deployment pipelines must be subject to controlled review and approval.
+
+Code changes affecting authentication, authorisation, data handling, cryptography, logging, or externally exposed services should receive additional security scrutiny.
+
+Build and release processes must be designed to reduce the risk of unauthorised change, insecure dependencies, or unsafe deployment to production environments.
+
+Development and test practices must be appropriate for BlackDice's cloud-native SaaS and Kubernetes-based operating model.
+
+## Roles and Responsibilities
+
+- Engineering leadership must ensure secure development expectations are embedded into delivery practices.
+- Developers must follow approved secure coding and review requirements.
+- [Role] must define supporting standards and assurance expectations.
+
+## Compliance / Exceptions
+
+Exceptions to required development controls must be documented, approved, and reviewed based on risk.
+
+## Monitoring and Review
+
+This policy should be monitored through code review records, pipeline assurance, vulnerability trends, incidents, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- CI/CD Security Standard
+- Secure Code Review Standard
+- Change Management Policy
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/supplier-security-policy.md
+++ b/01-policies/supplier-security-policy.md
@@ -0,0 +1,64 @@
+Title: Supplier Security Policy
+Document ID: [POL-SUPPLIER-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Supplier Security Policy
+
+## Purpose
+
+This policy defines BlackDice's requirements for assessing and managing information security risk arising from suppliers and third-party service providers.
+
+## Scope
+
+This policy applies to suppliers that provide technology, hosting, development support, operational services, data processing, or other services relevant to the ISMS scope.
+
+## Objectives
+
+- manage supplier-related security and resilience risk
+- ensure supplier controls are proportionate to service criticality and information sensitivity
+- support ongoing oversight of important third-party relationships
+
+## Principles / Policy Statements
+
+Suppliers must be assessed for information security risk before onboarding where they support in-scope services or handle relevant information.
+
+The level of due diligence, contracting, and ongoing review must reflect the supplier's role, access, criticality, and risk.
+
+Shared responsibility boundaries with cloud providers, operator-hosted environments, and specialist security or telemetry providers must be understood and documented.
+
+Supplier arrangements should define relevant security expectations, notification obligations, and rights of review or assurance where appropriate.
+
+Material supplier changes, incidents, or control concerns must trigger reassessment.
+
+## Roles and Responsibilities
+
+- [Role] must oversee the supplier security framework.
+- Supplier owners must ensure due diligence and review activities are completed.
+- Procurement, legal, and operational stakeholders must support security review where applicable.
+
+## Compliance / Exceptions
+
+Onboarding or continued use of a supplier without required review must be risk-assessed and approved as an exception where unavoidable.
+
+## Monitoring and Review
+
+This policy should be monitored through supplier reviews, assurance evidence, incidents, contract changes, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- Supplier Due Diligence Standard
+- Supplier Onboarding and Review Procedure
+- Supplier Register Template
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/01-policies/vulnerability-and-patch-management-policy.md
+++ b/01-policies/vulnerability-and-patch-management-policy.md
@@ -0,0 +1,64 @@
+Title: Vulnerability and Patch Management Policy
+Document ID: [POL-VULN-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Vulnerability and Patch Management Policy
+
+## Purpose
+
+This policy defines BlackDice's expectations for identifying, assessing, prioritising, remediating, and tracking vulnerabilities and security patches.
+
+## Scope
+
+This policy applies to applications, cloud infrastructure, containers, Kubernetes components, endpoints, dependencies, and third-party software within the ISMS scope.
+
+## Objectives
+
+- reduce exposure to known vulnerabilities
+- apply patches and remediation actions within risk-based timeframes
+- maintain visibility of unresolved security weaknesses
+
+## Principles / Policy Statements
+
+BlackDice must maintain processes to identify vulnerabilities affecting in-scope systems and services.
+
+Vulnerabilities and missing security patches must be assessed according to business context, exploitability, exposure, and potential impact.
+
+Production-facing cloud workloads, externally exposed services, CI/CD components, and identity systems should receive prioritised remediation attention.
+
+Where immediate remediation is not possible, compensating controls, formal risk acceptance, or time-bound exceptions must be considered and recorded.
+
+Remediation activity must be tracked to closure and supported by appropriate evidence.
+
+## Roles and Responsibilities
+
+- [Role] must oversee vulnerability management requirements.
+- System and service owners must remediate issues affecting their assets.
+- Management must support prioritisation where remediation requires planned change or resource allocation.
+
+## Compliance / Exceptions
+
+Deferred remediation must be justified, recorded, approved where required, and reviewed until closure.
+
+## Monitoring and Review
+
+This policy should be monitored through vulnerability reporting, patch timeliness, exception tracking, incidents, and audit findings.
+
+## Related Documents
+
+- Information Security Policy
+- Vulnerability Management Procedure
+- Patch Management Procedure
+- Secure Configuration Standard
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |