psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
draft
ISMS/README.md
Paul Jenkins 881b2bf2bc updated README with repo details
2026-03-26 09:41:03 +00:00

7.1 KiB
Raw Permalink Blame History

BlackDice ISMS Documentation Starter Pack

This repository holds the first draft of a Markdown-based Information Security Management System (ISMS) documentation set aligned broadly to ISO/IEC 27001:2022 for BlackDice.

The structure is designed to separate governance, policy, standards, procedures, records, and assurance artefacts so the pack can grow without becoming difficult to navigate. Documents in this repository are intended to be working drafts for review and tailoring. They are not approved policies unless explicitly marked as such.

Current Status

The core starter pack described by the PRD is now present in the repository:

  • governance documents in isms/00-governance
  • policy documents in isms/01-policies
  • standards in isms/02-standards
  • procedures in isms/03-procedures
  • registers and templates in isms/04-registers
  • guidance notes in isms/05-guidance
  • audit and review artefacts in isms/06-audit-and-review

The top-level INDEX.md should be used as the authoritative navigation aid for the current document inventory.

Principles

  • Use Markdown for all controlled documents.
  • Keep filenames in kebab-case.
  • Maintain a consistent metadata block at the top of each controlled document.
  • Use placeholders such as [Role], [Team], [System], and [Frequency] where organisation-specific detail is not yet confirmed.
  • Keep policy documents high level, standards prescriptive, and procedures operational.
  • Reflect BlackDice's cloud-native SaaS, Kubernetes, CI/CD, security telemetry, and customer assurance context without inventing details.

Repository Layout

isms/
  00-governance/
  01-policies/
  02-standards/
  03-procedures/
  04-registers/
  05-guidance/
  06-audit-and-review/

Folder Model

isms/00-governance

Core ISMS framing and control documents that define scope, management intent, document control, objectives, risk method, and applicability.

Current contents:

  • ISMS Scope Statement
  • ISMS Manual
  • Information Security Policy
  • Risk Assessment and Treatment Methodology
  • Statement of Applicability Template
  • Information Security Objectives Template
  • Document and Records Control Standard

isms/01-policies

Policy-level control statements. These documents define what BlackDice expects and requires across core security domains.

Current contents:

  • Access Control Policy
  • Asset Management and Acceptable Use Policy
  • Data Classification and Handling Policy
  • Cryptography and Key Management Policy
  • Secure Development Policy
  • Vulnerability and Patch Management Policy
  • Logging and Monitoring Policy
  • Incident Response Policy
  • Backup and Recovery Policy
  • Business Continuity and Disaster Recovery Policy
  • Change Management Policy
  • Supplier Security Policy
  • Cloud Security Policy
  • Network and Infrastructure Security Policy
  • Endpoint Security Policy
  • Human Resources Security Policy
  • Information Transfer Policy
  • Privacy and Data Protection Policy
  • Records Retention and Disposal Policy
  • Remote Working Policy
  • Physical Security Policy

isms/02-standards

Implementation standards that translate policy into mandatory technical or operational requirements.

Current contents:

  • Identity and Authentication Standard
  • Secure Configuration Standard
  • Secrets Management Standard
  • Kubernetes Security Standard
  • CI/CD Security Standard
  • Logging and Alerting Standard
  • Secure Code Review Standard
  • Data Retention Standard
  • Supplier Due Diligence Standard

isms/03-procedures

Operational procedures that describe repeatable activities, triggers, steps, records, and escalation paths.

Current contents:

  • Joiner Mover Leaver Procedure
  • Access Review Procedure
  • Vulnerability Management Procedure
  • Patch Management Procedure
  • Security Incident Handling Procedure
  • Breach Notification Procedure
  • Backup Testing Procedure
  • Disaster Recovery Testing Procedure
  • Change Approval Procedure
  • Production Deployment Procedure
  • Exception Management Procedure
  • Supplier Onboarding and Review Procedure
  • Risk Assessment Procedure
  • Corrective Action Procedure
  • Internal Audit Procedure
  • Management Review Procedure

isms/04-registers

Templates and operational registers used to record evidence, track risk, and support governance activities.

Current contents:

  • Risk Register Template
  • Asset Register Template
  • Supplier Register Template
  • Legal and Regulatory Obligations Register Template
  • Security Exceptions Register Template
  • Training and Awareness Record Template
  • Corrective Actions Register Template
  • Internal Audit Plan Template
  • Management Review Minutes Template
  • Incident Register Template

isms/05-guidance

Supporting guidance notes, implementation aids, and explanatory material that help teams apply the policies, standards, and procedures consistently. This folder is intended for non-controlled or lower-control supporting material that should not override formal requirements.

Current contents:

  • README
  • Document Owner Guidance
  • Evidence and Audit Readiness Guidance
  • Risk and Exception Writing Guidance
  • Supplier Assurance Guidance
  • Secure Change and Deployment Guidance

isms/06-audit-and-review

Assurance and review outputs, including audit artefacts, review packs, improvement tracking support, and evidence linked to ISMS oversight activity.

Current contents:

  • README
  • Internal Audit Report Template
  • Internal Audit Working Paper Template
  • Management Review Pack Template
  • Control Review Note Template
  • Audit and Review Evidence Log Template

Document Naming Approach

Each document file should use a short, descriptive kebab-case filename derived from the document title. For example:

  • information-security-policy.md
  • secure-configuration-standard.md
  • security-incident-handling-procedure.md
  • risk-register-template.md

If needed later, filenames can be prefixed with document IDs once those IDs are agreed. Until then, titles should remain clear and stable.

Standard Metadata

Each controlled document should begin with the following metadata block:

Title: [Document Title]
Document ID: [DOC-ID]
Version: 0.1 Draft
Status: Draft
Owner: [Role]
Approver: [Role]
Classification: Internal
Effective date: [DD Month YYYY]
Review date: [DD Month YYYY]

Organisation Rules

  • Governance documents define the ISMS framework and cross-cutting controls.
  • Policies state management direction and mandatory expectations.
  • Standards define how policy requirements are implemented in practice.
  • Procedures define repeatable operational steps, evidence, and escalation.
  • Registers capture data, decisions, and audit evidence in structured form.
  • Guidance supports implementation but should not conflict with controlled documents.

Next Review Focus

The next quality and tailoring pass should focus on:

  1. assigning real document owners, approvers, dates, and document IDs where available
  2. aligning risk scales, review frequencies, and approval authorities to BlackDice operating practice
  3. strengthening any domain-specific wording where BlackDice wants more explicit control requirements
  4. adding guidance notes and operational evidence examples where they will help adoption
Reference in New Issue View Git Blame Copy Permalink