Initial commit

2026-03-26 09:35:22 +00:00
parent 0d73f76688
commit 5eade2d99b
76 changed files with 5512 additions and 0 deletions
--- a/06-audit-and-review/README.md
+++ b/06-audit-and-review/README.md
@@ -0,0 +1,19 @@
+# Audit And Review Artefacts
+
+This folder contains working artefacts and output templates used to operate the ISMS assurance and review cycle.
+
+Unlike the controlled policy, standard, procedure, and register set, documents in this folder are intended to support execution of audit, management review, and periodic control review activities. Some artefacts may become records of performed activities once completed.
+
+## Current Artefacts
+
+- `internal-audit-report-template.md`
+- `internal-audit-working-paper-template.md`
+- `management-review-pack-template.md`
+- `control-review-note-template.md`
+- `audit-and-review-evidence-log-template.md`
+
+## How To Use This Folder
+
+- Use the procedure set in `../03-procedures` to determine when and how the activity should be performed.
+- Use the templates in this folder to capture working notes, outputs, and review evidence consistently.
+- Where a completed artefact becomes part of the formal ISMS record, retain it in line with document and records retention requirements.
--- a/06-audit-and-review/audit-and-review-evidence-log-template.md
+++ b/06-audit-and-review/audit-and-review-evidence-log-template.md
@@ -0,0 +1,63 @@
+Title: Audit and Review Evidence Log Template
+Document ID: [REVIEW-EVIDENCE-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CISO (Paul Jenkins)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Audit And Review Evidence Log Template
+
+## Purpose
+
+This template provides a simple log for tracking evidence collected or referenced during audit and management review activity.
+
+## Scope
+
+This log applies to evidence used in internal audits, management reviews, control reviews, and follow-up assurance activity.
+
+## Data Fields / Expected Columns
+
+The log should record at least:
+
+- evidence reference
+- activity type
+- related audit or review
+- evidence description
+- source location
+- owner
+- date collected or reviewed
+- reviewer
+- notes
+
+## Ownership
+
+This log should be owned by CISO (Paul Jenkins) or a delegated assurance coordinator.
+
+## Update Frequency
+
+The log should be updated as evidence is requested, reviewed, or added to an audit or review pack.
+
+## Retention
+
+Completed logs should be retained with the associated audit or review records in line with retention requirements.
+
+## Template Table
+
+| Evidence Reference | Activity Type | Related Audit / Review | Evidence Description | Source Location | Owner | Date Collected / Reviewed | Reviewer | Notes |
+| --- | --- | --- | --- | --- | --- | --- | --- | --- |
+| [EV-001] | [Audit / Management Review / Control Review] | [Reference] | [Description] | [Path / system / link reference] | [Role] | [DD Month YYYY] | [Name / Role] | [Notes] |
+
+## Related Documents
+
+- Internal Audit Procedure
+- Management Review Procedure
+- Evidence and Audit Readiness Guidance
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/06-audit-and-review/control-review-note-template.md
+++ b/06-audit-and-review/control-review-note-template.md
@@ -0,0 +1,61 @@
+Title: Control Review Note Template
+Document ID: [REVIEW-CONTROL-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CISO (Paul Jenkins)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Control Review Note Template
+
+## Purpose
+
+This template provides a lightweight format for recording periodic review of a specific control, process, or requirement outside a full internal audit.
+
+## Review Details
+
+- Review title: [Title]
+- Control or process reviewed: [Name]
+- Review owner: [Role]
+- Review date: [DD Month YYYY]
+- Review period: [Period]
+
+## Review Objective
+
+[State what the review was intended to confirm.]
+
+## Evidence Considered
+
+- [Document or record]
+- [System output]
+- [Interview or walkthrough]
+
+## Review Outcome
+
+| Area Reviewed | Result | Notes | Follow-up Required |
+| --- | --- | --- | --- |
+| [Area] | [Effective / Partially Effective / Ineffective] | [Notes] | [Yes / No] |
+
+## Issues Or Improvement Notes
+
+[Summarise any concerns, gaps, or good practice observed.]
+
+## Actions
+
+| Action | Owner | Due Date | Status |
+| --- | --- | --- | --- |
+| [Action] | [Role] | [DD Month YYYY] | [Open / Closed] |
+
+## Related Documents
+
+- Internal Audit Procedure
+- Management Review Procedure
+- Corrective Action Procedure
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/06-audit-and-review/internal-audit-report-template.md
+++ b/06-audit-and-review/internal-audit-report-template.md
@@ -0,0 +1,82 @@
+Title: Internal Audit Report Template
+Document ID: [AUD-REPORT-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CISO (Paul Jenkins)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Internal Audit Report Template
+
+## Purpose
+
+This template provides a consistent structure for reporting the outcome of an internal ISMS audit.
+
+## Audit Details
+
+- Audit reference: [AUD-XXX]
+- Audit title: [Title]
+- Audit scope: [Scope]
+- Audit criteria: [Policies, standards, procedures, clauses, or other criteria]
+- Audit period: [DD Month YYYY to DD Month YYYY]
+- Auditor(s): [Name / Role]
+- Auditee(s): [Name / Role / Team]
+- Report date: [DD Month YYYY]
+
+## Audit Objective
+
+[State the purpose of the audit and what it was intended to confirm.]
+
+## Summary Conclusion
+
+[Summarise whether the audited area appears conformant, effective, partially effective, or materially deficient.]
+
+## Work Performed
+
+Describe the work completed, for example:
+
+- document review
+- interviews
+- walkthroughs
+- sample testing
+- evidence review
+
+## Findings
+
+| Finding ID | Rating | Requirement / Criteria | Finding Summary | Evidence Reference | Owner | Due Date |
+| --- | --- | --- | --- | --- | --- | --- |
+| [F-001] | [Observation / Minor / Major] | [Requirement] | [Summary] | [Evidence] | [Role] | [DD Month YYYY] |
+
+## Positive Practices
+
+[Record notable strengths, effective controls, or improvements observed.]
+
+## Nonconformities And Improvement Areas
+
+[Summarise the main control gaps, recurring issues, or themes.]
+
+## Agreed Actions
+
+| Action ID | Action Description | Owner | Target Date | Linked Finding |
+| --- | --- | --- | --- | --- |
+| [CA-001] | [Action] | [Role] | [DD Month YYYY] | [F-001] |
+
+## Distribution
+
+- [Role / Team]
+- [Role / Team]
+
+## Related Documents
+
+- Internal Audit Procedure
+- Internal Audit Plan Template
+- Corrective Action Procedure
+- Corrective Actions Register Template
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/06-audit-and-review/internal-audit-working-paper-template.md
+++ b/06-audit-and-review/internal-audit-working-paper-template.md
@@ -0,0 +1,73 @@
+Title: Internal Audit Working Paper Template
+Document ID: [AUD-WP-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CISO (Paul Jenkins)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Internal Audit Working Paper Template
+
+## Purpose
+
+This template provides a structure for audit planning notes, sample records, evidence references, and evaluator observations during an internal audit.
+
+## Audit Details
+
+- Audit reference: [AUD-XXX]
+- Audit topic: [Topic]
+- Auditor: [Name / Role]
+- Date(s): [DD Month YYYY]
+- Area reviewed: [Team / Service / Control Area]
+
+## Audit Criteria
+
+- [Criterion 1]
+- [Criterion 2]
+- [Criterion 3]
+
+## Sample Plan
+
+| Sample Item | Population | Selection Basis | Sample Size | Notes |
+| --- | --- | --- | --- | --- |
+| [Access review records] | [Population] | [Risk / judgement / random] | [Number] | [Notes] |
+
+## Evidence Reviewed
+
+| Evidence Reference | Evidence Description | Date Reviewed | Source | Observation |
+| --- | --- | --- | --- | --- |
+| [EV-001] | [Description] | [DD Month YYYY] | [System / document / interview] | [Observation] |
+
+## Interviews And Walkthroughs
+
+| Interviewee | Role | Date | Topic | Key Notes |
+| --- | --- | --- | --- | --- |
+| [Name] | [Role] | [DD Month YYYY] | [Topic] | [Notes] |
+
+## Auditor Assessment Notes
+
+### Conformant Areas
+
+[Notes]
+
+### Gaps Or Concerns
+
+[Notes]
+
+### Follow-up Questions
+
+[Notes]
+
+## Related Documents
+
+- Internal Audit Procedure
+- Internal Audit Report Template
+- Evidence and Audit Readiness Guidance
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
--- a/06-audit-and-review/management-review-pack-template.md
+++ b/06-audit-and-review/management-review-pack-template.md
@@ -0,0 +1,101 @@
+Title: Management Review Pack Template
+Document ID: [MR-PACK-001]
+Version: 0.1 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CISO (Paul Jenkins)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Management Review Pack Template
+
+## Purpose
+
+This template provides a consistent structure for assembling the inputs to a formal ISMS management review.
+
+## Review Details
+
+- Review period: [Period]
+- Review date: [DD Month YYYY]
+- Chair: [Role]
+- Participants: [Names / Roles]
+- Prepared by: [Role]
+
+## Executive Summary
+
+[Summarise the overall status of the ISMS and the key decisions required.]
+
+## Review Inputs
+
+### Information Security Objectives
+
+- current objectives status
+- missed targets or at-risk items
+- proposed new or revised objectives
+
+### Risk And Exception Status
+
+- top open risks
+- newly accepted risks
+- expired or overdue exceptions
+- themes requiring management attention
+
+### Incident And Breach Summary
+
+- material incidents during the period
+- lessons learned
+- any notifiable or high-impact events
+
+### Audit And Assurance Summary
+
+- audits completed
+- key findings and themes
+- overdue corrective actions
+
+### Supplier And Dependency Issues
+
+- key supplier reviews
+- assurance gaps
+- material supplier incidents or changes
+
+### Change And Operational Themes
+
+- significant change failures or concerns
+- recurring operational issues
+- resilience or recovery concerns
+
+### Training And Awareness
+
+- completion status
+- overdue or role-specific gaps
+
+### Improvement Opportunities
+
+- proposed control improvements
+- resourcing or prioritisation needs
+
+## Decisions Required
+
+| Decision Area | Summary | Proposed Decision | Owner |
+| --- | --- | --- | --- |
+| [Area] | [Summary] | [Decision] | [Role] |
+
+## Actions Proposed
+
+| Action | Owner | Target Date | Priority | Linked Input |
+| --- | --- | --- | --- | --- |
+| [Action] | [Role] | [DD Month YYYY] | [Low/Medium/High] | [Risk / audit / incident / objective] |
+
+## Related Documents
+
+- Management Review Procedure
+- Management Review Minutes Template
+- Information Security Objectives Template
+- Corrective Actions Register Template
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |