Initial commit

2026-04-19 15:29:42 +02:00 · 2026-04-19 15:29:42 +02:00 · 570d74d4dd
commit 570d74d4dd
67 changed files with 4609 additions and 0 deletions
--- a/Applications.md
+++ b/Applications.md
@ -0,0 +1,87 @@
+# Policy Card Example for Access to Software Applications
+
+- PolicyTitle: "Application access policy "
+- RelevantStandardArticles: <tags>  ISO27001:2022:A.5.15, ISO27001:2022:A.5.18
+- VersionControl
+	- VersionNumber: 3.14
+	- VersionDate: 15-12-2024
+	- DocumentOwner: "Alex Hanover"
+	- ApprovedBy: "Marian Faithful" <signature>
+	- ApprovedDate: 08-01-2025
+	- NextReview: 15-12-2025
+- Purpose
+	- Goal (in terms of risk mitigation): "To protect classified data from unauthorized access"
+	- Scope : "All applications in use within the organization" // E.g. organization as a whole vs. topic-specific: certain business activities, organizational units, or the implementation of specific controls. Also define Exemptions and Exceptions.
+	- RisksMitigated: "Unauthorized access to classified data" // outcome from the Risk Analysis activity
+	- ControlsImplemented: <tags> ISO27001:2022:5.15, ISO27001:2022:5.18
+- Method
+	- Implementation ('How it's done'): "To mitigate the risk of X, controls A, B and C will be implemented on asset Y by Responsible Z. The effectiveness will be measured through P and will be evaluated by Q according to method R, following planning S."
+	- Metrics: "Number of users with unjustly granted access to each application, compared to the necessary access following from the Job Framework " (to establish effectiveness)
+	- Measurement: "The number of users with unjust access will be determined each quarter by HR, based on the current access matrix delivered by IT" // How, When, and By Whom
+	- Evaluation: "The effectiveness of the control will be evaluated quarterly by the Compliance Officer in a meeting with HR and IT" // How, When, and By Whom
+- Reviews and Changes
+	- Review: "This policy will be reviewed yearly or if relevant and significant changes occur in the organization, in a meeting with the CISO, COO and Compliance Officer"
+	- Changes: "Changes to this policy will be prepared by the policy o"
+	- Responsibilities (for implementation and review)
+		- PolicyWriting: "IT consultant" 
+		- PolicyApproval: "CISO"
+		- Implementation: "IT Administration dept."
+- Documentation
+	- PolicyDocuments: <pointers> 
+	- ProcedureDescriptions: <pointers>
+	- MeasurementReports: <pointers>
+	- EvaluationReports: <pointers>
+
+## In JSON format
+
+```
+JSON
+{
+  "PolicyTitle": "Application access policy",
+  "RelevantStandardArticles": [
+    "ISO27001:2022:5.15",
+    "ISO27001:2022:5.18"
+  ],
+  "VersionControl": {
+    "VersionNumber": "3.14",
+    "VersionDate": "2024-12-15",
+    "DocumentOwner": "Alex Hanover",
+    "ApprovedBy": "Marian Faithful",
+    "ApprovedDate": "2025-01-08",
+    "NextReview": "2025-12-15"
+  },
+  "Purpose": {
+    "Goal": "To protect classified data from unauthorized access",
+    "Scope": "All applications in use within the organization",
+    "RisksMitigated": "Unauthorized access to classified data",
+    "ControlsImplemented": [
+      "ISO27001:2022:5.15",
+      "ISO27001:2022:5.18"
+    ]
+  },
+  "Method": {
+    "Implementation": "To mitigate the risk of X, controls A, B and C will be implemented on asset Y by Responsible Z. The effectiveness will be measured through P and will be evaluated by Q according to method R, following planning S.",
+    "Metrics": "Number of users with unjustly granted access to each application, compared to the necessary access following from the Job Framework",
+    "Measurement": "The number of users with unjust access will be determined each quarter by HR, based on the current access matrix delivered by IT",
+    "Evaluation": "The effectiveness of the control will be evaluated quarterly by the Compliance Officer in a meeting with HR and IT"
+  },
+  "ReviewsAndChanges": {
+    "Review": "This policy will be reviewed yearly or if relevant and significant changes occur in the organization, in a meeting with the CISO, COO and Compliance Officer",
+    "Changes": "Changes to this policy will be prepared by the policy o",
+    "Responsibilities": {
+      "PolicyWriting": "IT consultant",
+      "PolicyApproval": "CISO",
+      "Implementation": "IT Administration dept."
+    }
+  },
+  "Documentation": {
+    "PolicyDocuments": [],
+    "ProcedureDescriptions": [],
+    "MeasurementReports": [],
+    "EvaluationReports": []
+  }
+}
+```
+```JSON
+
+```