15 KiB
15 KiB
ISMS Document Index
This index lists the ISMS documents currently created in this repository and the purpose of each document. It is intended to help document owners, reviewers, and auditors navigate the draft pack.
Governance
| Document | Path | Purpose |
|---|---|---|
| ISMS Scope Statement | isms/00-governance/isms-scope-statement.md |
Defines the intended boundary of the ISMS, including in-scope activities, assets, and exclusions. |
| ISMS Manual | isms/00-governance/isms-manual.md |
Describes how the ISMS is structured and how the documentation set, governance processes, and improvement cycle fit together. |
| Information Security Policy | isms/00-governance/information-security-policy.md |
States BlackDice's overall information security direction and high-level control expectations. |
| Risk Assessment and Treatment Methodology | isms/00-governance/risk-assessment-and-treatment-methodology.md |
Defines the method for identifying, assessing, treating, and accepting information security risk. |
| Statement of Applicability | isms/00-governance/statement-of-applicability.md |
Records the draft applicability of all Annex A controls, policy cross-references, and inclusion rationale. |
| Statement of Applicability Template | isms/00-governance/statement-of-applicability-template.md |
Provides the template for recording control applicability, justification, and implementation status. |
| Information Security Objectives Template | isms/00-governance/information-security-objectives-template.md |
Provides the template for defining and tracking information security objectives and measures. |
| Document and Records Control Standard | isms/00-governance/document-and-records-control-standard.md |
Defines the minimum requirements for maintaining controlled ISMS documents and records. |
Policies
| Document | Path | Purpose |
|---|---|---|
| Access Control Policy | isms/01-policies/access-control-policy.md |
Defines high-level requirements for access provisioning, privilege control, and access review. |
| Asset Management and Acceptable Use Policy | isms/01-policies/asset-management-and-acceptable-use-policy.md |
Defines expectations for identifying assets and using company resources appropriately. |
| Data Classification and Handling Policy | isms/01-policies/data-classification-and-handling-policy.md |
Defines how information should be classified, handled, stored, transferred, and disposed of. |
| Cryptography and Key Management Policy | isms/01-policies/cryptography-and-key-management-policy.md |
Defines expectations for cryptographic protection and control of keys, secrets, and certificates. |
| Secure Development Policy | isms/01-policies/secure-development-policy.md |
Defines high-level secure software and delivery lifecycle requirements. |
| Vulnerability and Patch Management Policy | isms/01-policies/vulnerability-and-patch-management-policy.md |
Defines expectations for vulnerability identification, prioritisation, remediation, and deferral. |
| Logging and Monitoring Policy | isms/01-policies/logging-and-monitoring-policy.md |
Defines expectations for logging, telemetry protection, monitoring, and alert review. |
| Incident Response Policy | isms/01-policies/incident-response-policy.md |
Defines the high-level approach to incident reporting, assessment, response, and learning. |
| Backup and Recovery Policy | isms/01-policies/backup-and-recovery-policy.md |
Defines expectations for backup coverage, protection, recovery, and testing. |
| Business Continuity and Disaster Recovery Policy | isms/01-policies/business-continuity-and-disaster-recovery-policy.md |
Defines continuity and recovery expectations for disruptive events. |
| Change Management Policy | isms/01-policies/change-management-policy.md |
Defines high-level requirements for assessing, approving, and tracking change. |
| Supplier Security Policy | isms/01-policies/supplier-security-policy.md |
Defines requirements for managing security risk from suppliers and service providers. |
| Cloud Security Policy | isms/01-policies/cloud-security-policy.md |
Defines expectations for secure use and operation of cloud platforms and services. |
| Network and Infrastructure Security Policy | isms/01-policies/network-and-infrastructure-security-policy.md |
Defines expectations for securing infrastructure services, network exposure, and administration paths. |
| Endpoint Security Policy | isms/01-policies/endpoint-security-policy.md |
Defines high-level requirements for securing endpoints used to access company systems and information. |
| Human Resources Security Policy | isms/01-policies/human-resources-security-policy.md |
Defines personnel lifecycle security expectations from onboarding through offboarding. |
| Information Transfer Policy | isms/01-policies/information-transfer-policy.md |
Defines requirements for secure internal and external information transfer. |
| Privacy and Data Protection Policy | isms/01-policies/privacy-and-data-protection-policy.md |
Defines the high-level approach to protecting personal data and supporting privacy obligations. |
| Records Retention and Disposal Policy | isms/01-policies/records-retention-and-disposal-policy.md |
Defines expectations for retaining and securely disposing of business and ISMS records. |
| Remote Working Policy | isms/01-policies/remote-working-policy.md |
Defines security expectations for remote and hybrid working arrangements. |
| Physical Security Policy | isms/01-policies/physical-security-policy.md |
Defines high-level requirements for protecting physical environments, assets, and information. |
Standards
| Document | Path | Purpose |
|---|---|---|
| Identity and Authentication Standard | isms/02-standards/identity-and-authentication-standard.md |
Defines minimum requirements for identity lifecycle control, authentication strength, and account management. |
| Secure Configuration Standard | isms/02-standards/secure-configuration-standard.md |
Defines baseline secure configuration expectations for systems, services, and platforms. |
| Secrets Management Standard | isms/02-standards/secrets-management-standard.md |
Defines requirements for storing, using, rotating, and retiring secrets and related sensitive authentication material. |
| Kubernetes Security Standard | isms/02-standards/kubernetes-security-standard.md |
Defines minimum requirements for securing Kubernetes clusters, workloads, and control planes. |
| CI/CD Security Standard | isms/02-standards/ci-cd-security-standard.md |
Defines minimum security requirements for build, delivery, and deployment automation workflows. |
| Logging and Alerting Standard | isms/02-standards/logging-and-alerting-standard.md |
Defines requirements for log generation, protection, alerting, and review of security-relevant events. |
| Secure Code Review Standard | isms/02-standards/secure-code-review-standard.md |
Defines minimum requirements for security-focused review of code and related engineering changes. |
| Data Retention Standard | isms/02-standards/data-retention-standard.md |
Defines how retention periods should be set, applied, and evidenced across information and records. |
| Supplier Due Diligence Standard | isms/02-standards/supplier-due-diligence-standard.md |
Defines the minimum due diligence requirements for onboarding and reviewing suppliers. |
Procedures
| Document | Path | Purpose |
|---|---|---|
| Joiner Mover Leaver Procedure | isms/03-procedures/joiner-mover-leaver-procedure.md |
Defines how access and related assets should be provisioned, changed, and removed across the worker lifecycle. |
| Access Review Procedure | isms/03-procedures/access-review-procedure.md |
Defines how access rights should be reviewed, validated, and corrected at planned intervals. |
| Vulnerability Management Procedure | isms/03-procedures/vulnerability-management-procedure.md |
Defines how vulnerabilities are identified, assessed, prioritised, tracked, and closed. |
| Patch Management Procedure | isms/03-procedures/patch-management-procedure.md |
Defines how security patches are assessed, scheduled, deployed, and verified. |
| Security Incident Handling Procedure | isms/03-procedures/security-incident-handling-procedure.md |
Defines the operational workflow for handling information security incidents. |
| Breach Notification Procedure | isms/03-procedures/breach-notification-procedure.md |
Defines how potential legal, regulatory, contractual, or customer notification obligations are assessed and executed. |
| Backup Testing Procedure | isms/03-procedures/backup-testing-procedure.md |
Defines how backup restoration capability should be tested and recorded. |
| Disaster Recovery Testing Procedure | isms/03-procedures/disaster-recovery-testing-procedure.md |
Defines how disaster recovery exercises should be planned, executed, and followed up. |
| Change Approval Procedure | isms/03-procedures/change-approval-procedure.md |
Defines how changes are assessed, reviewed, approved, and recorded before implementation. |
| Production Deployment Procedure | isms/03-procedures/production-deployment-procedure.md |
Defines how production deployments are prepared, executed, validated, and, if needed, rolled back. |
| Exception Management Procedure | isms/03-procedures/exception-management-procedure.md |
Defines how security control exceptions are requested, assessed, approved, reviewed, and closed. |
| Supplier Onboarding and Review Procedure | isms/03-procedures/supplier-onboarding-and-review-procedure.md |
Defines how suppliers are assessed, onboarded, reviewed, and tracked. |
| Risk Assessment Procedure | isms/03-procedures/risk-assessment-procedure.md |
Defines how information security risk assessments are performed and recorded using the approved methodology. |
| Corrective Action Procedure | isms/03-procedures/corrective-action-procedure.md |
Defines how corrective actions are recorded, assigned, tracked, and closed. |
| Internal Audit Procedure | isms/03-procedures/internal-audit-procedure.md |
Defines how internal ISMS audits are planned, conducted, reported, and followed up. |
| Management Review Procedure | isms/03-procedures/management-review-procedure.md |
Defines how formal ISMS management reviews are prepared, conducted, recorded, and tracked. |
Registers and Templates
| Document | Path | Purpose |
|---|---|---|
| Risk Register Template | isms/04-registers/risk-register-template.md |
Provides the structure for recording and tracking information security risks. |
| Asset Register Template | isms/04-registers/asset-register-template.md |
Provides the structure for recording in-scope information and technology assets. |
| Supplier Register Template | isms/04-registers/supplier-register-template.md |
Provides the structure for tracking suppliers, their assurance status, and review cadence. |
| Legal and Regulatory Obligations Register Template | isms/04-registers/legal-and-regulatory-obligations-register-template.md |
Provides the structure for recording legal, regulatory, and contractual obligations relevant to the ISMS. |
| Security Exceptions Register Template | isms/04-registers/security-exceptions-register-template.md |
Provides the structure for recording approved security exceptions and their review status. |
| Training and Awareness Record Template | isms/04-registers/training-and-awareness-record-template.md |
Provides the structure for recording training and awareness assignment and completion. |
| Corrective Actions Register Template | isms/04-registers/corrective-actions-register-template.md |
Provides the structure for tracking corrective actions arising from issues, findings, and reviews. |
| Internal Audit Plan Template | isms/04-registers/internal-audit-plan-template.md |
Provides the structure for planning internal ISMS audits across the audit cycle. |
| Management Review Minutes Template | isms/04-registers/management-review-minutes-template.md |
Provides the structure for recording formal ISMS management review meetings and outputs. |
| Incident Register Template | isms/04-registers/incident-register-template.md |
Provides the structure for recording security incidents and tracking their lifecycle. |
Guidance
| Document | Path | Purpose |
|---|---|---|
| Guidance Folder README | isms/05-guidance/README.md |
Explains the purpose of the guidance set and how it should be used alongside controlled documents. |
| Document Owner Guidance | isms/05-guidance/document-owner-guidance.md |
Helps document owners maintain ISMS documents consistently and at the right level of detail. |
| Evidence and Audit Readiness Guidance | isms/05-guidance/evidence-and-audit-readiness-guidance.md |
Explains what good operational evidence looks like and how to think about audit readiness. |
| Risk and Exception Writing Guidance | isms/05-guidance/risk-and-exception-writing-guidance.md |
Helps authors write clearer risks, treatment actions, and exception justifications. |
| Supplier Assurance Guidance | isms/05-guidance/supplier-assurance-guidance.md |
Helps teams apply supplier review and shared-responsibility thinking proportionately. |
| Secure Change and Deployment Guidance | isms/05-guidance/secure-change-and-deployment-guidance.md |
Helps teams apply change and deployment controls consistently in a cloud-native environment. |
Audit and Review
| Document | Path | Purpose |
|---|---|---|
| Audit and Review Folder README | isms/06-audit-and-review/README.md |
Explains the purpose of the audit and review artefact set and how it should be used. |
| Internal Audit Report Template | isms/06-audit-and-review/internal-audit-report-template.md |
Provides a standard structure for reporting internal audit outcomes. |
| Internal Audit Working Paper Template | isms/06-audit-and-review/internal-audit-working-paper-template.md |
Provides a structure for audit planning notes, samples, evidence references, and observations. |
| Management Review Pack Template | isms/06-audit-and-review/management-review-pack-template.md |
Provides a standard structure for assembling management review inputs and decision points. |
| Control Review Note Template | isms/06-audit-and-review/control-review-note-template.md |
Provides a lightweight format for periodic review of a specific control or process. |
| Audit and Review Evidence Log Template | isms/06-audit-and-review/audit-and-review-evidence-log-template.md |
Provides a simple log for tracking evidence used in audit and management review activities. |