Initial commit
This commit is contained in:
Paul Jenkins
62
05-guidance/document-owner-guidance.md
Normal file
62
05-guidance/document-owner-guidance.md
Normal file
@@ -0,0 +1,62 @@
|
||||
# Document Owner Guidance
|
||||
|
||||
## Purpose
|
||||
|
||||
This guidance note helps document owners maintain ISMS documents consistently and with the right level of quality.
|
||||
|
||||
## Who This Is For
|
||||
|
||||
This note is for document owners, approvers, reviewers, and anyone asked to update controlled ISMS documents.
|
||||
|
||||
## What Good Looks Like
|
||||
|
||||
A well-maintained ISMS document should:
|
||||
|
||||
- reflect how BlackDice actually operates
|
||||
- avoid invented tools, teams, or approvals
|
||||
- use clear ownership and review dates
|
||||
- align with the related policy, standard, procedure, or register
|
||||
- be specific enough to guide behaviour without turning policy into procedure
|
||||
|
||||
## Practical Owner Checks
|
||||
|
||||
Before updating or approving a document, check:
|
||||
|
||||
- the metadata is complete and current
|
||||
- the document purpose and scope still match reality
|
||||
- cross-references point to the right current documents
|
||||
- placeholders still in the document are genuinely unresolved
|
||||
- statements about control operation are supportable with evidence
|
||||
- the document still fits its type
|
||||
|
||||
Policy should say what BlackDice requires.
|
||||
|
||||
Standard should say what must be implemented.
|
||||
|
||||
Procedure should say how an activity is carried out.
|
||||
|
||||
Register or template should say what information must be recorded.
|
||||
|
||||
## When A Document Should Be Updated
|
||||
|
||||
Review or update the document when:
|
||||
|
||||
- the review date is due
|
||||
- a control or process changes materially
|
||||
- audit or incident findings show it is inaccurate
|
||||
- ownership changes
|
||||
- supplier, legal, or customer obligations materially change the requirement
|
||||
|
||||
## Common Mistakes To Avoid
|
||||
|
||||
- keeping placeholders that are already known
|
||||
- writing future-state wording as if it is already operational
|
||||
- duplicating the same requirement in too many places
|
||||
- adding procedural detail into policy documents
|
||||
- leaving evidence expectations unclear
|
||||
|
||||
## Related Documents
|
||||
|
||||
- `../../00-governance/document-and-records-control-standard.md`
|
||||
- `../../00-governance/isms-manual.md`
|
||||
- `../../00-governance/information-security-policy.md`
|
||||
Reference in New Issue
Block a user