# Policy Card Example for Access to Software Applications - PolicyTitle: "Application access policy " - RelevantStandardArticles: ISO27001:2022:A.5.15, ISO27001:2022:A.5.18 - VersionControl - VersionNumber: 3.14 - VersionDate: 15-12-2024 - DocumentOwner: "Alex Hanover" - ApprovedBy: "Marian Faithful" - ApprovedDate: 08-01-2025 - NextReview: 15-12-2025 - Purpose - Goal (in terms of risk mitigation): "To protect classified data from unauthorized access" - Scope : "All applications in use within the organization" // E.g. organization as a whole vs. topic-specific: certain business activities, organizational units, or the implementation of specific controls. Also define Exemptions and Exceptions. - RisksMitigated: "Unauthorized access to classified data" // outcome from the Risk Analysis activity - ControlsImplemented: ISO27001:2022:5.15, ISO27001:2022:5.18 - Method - Implementation ('How it's done'): "To mitigate the risk of X, controls A, B and C will be implemented on asset Y by Responsible Z. The effectiveness will be measured through P and will be evaluated by Q according to method R, following planning S." - Metrics: "Number of users with unjustly granted access to each application, compared to the necessary access following from the Job Framework " (to establish effectiveness) - Measurement: "The number of users with unjust access will be determined each quarter by HR, based on the current access matrix delivered by IT" // How, When, and By Whom - Evaluation: "The effectiveness of the control will be evaluated quarterly by the Compliance Officer in a meeting with HR and IT" // How, When, and By Whom - Reviews and Changes - Review: "This policy will be reviewed yearly or if relevant and significant changes occur in the organization, in a meeting with the CISO, COO and Compliance Officer" - Changes: "Changes to this policy will be prepared by the policy o" - Responsibilities (for implementation and review) - PolicyWriting: "IT consultant" - PolicyApproval: "CISO" - Implementation: "IT Administration dept." - Documentation - PolicyDocuments: - ProcedureDescriptions: - MeasurementReports: - EvaluationReports: ## In JSON format ``` JSON { "PolicyTitle": "Application access policy", "RelevantStandardArticles": [ "ISO27001:2022:5.15", "ISO27001:2022:5.18" ], "VersionControl": { "VersionNumber": "3.14", "VersionDate": "2024-12-15", "DocumentOwner": "Alex Hanover", "ApprovedBy": "Marian Faithful", "ApprovedDate": "2025-01-08", "NextReview": "2025-12-15" }, "Purpose": { "Goal": "To protect classified data from unauthorized access", "Scope": "All applications in use within the organization", "RisksMitigated": "Unauthorized access to classified data", "ControlsImplemented": [ "ISO27001:2022:5.15", "ISO27001:2022:5.18" ] }, "Method": { "Implementation": "To mitigate the risk of X, controls A, B and C will be implemented on asset Y by Responsible Z. The effectiveness will be measured through P and will be evaluated by Q according to method R, following planning S.", "Metrics": "Number of users with unjustly granted access to each application, compared to the necessary access following from the Job Framework", "Measurement": "The number of users with unjust access will be determined each quarter by HR, based on the current access matrix delivered by IT", "Evaluation": "The effectiveness of the control will be evaluated quarterly by the Compliance Officer in a meeting with HR and IT" }, "ReviewsAndChanges": { "Review": "This policy will be reviewed yearly or if relevant and significant changes occur in the organization, in a meeting with the CISO, COO and Compliance Officer", "Changes": "Changes to this policy will be prepared by the policy o", "Responsibilities": { "PolicyWriting": "IT consultant", "PolicyApproval": "CISO", "Implementation": "IT Administration dept." } }, "Documentation": { "PolicyDocuments": [], "ProcedureDescriptions": [], "MeasurementReports": [], "EvaluationReports": [] } } ``` ```JSON ```