87 lines
No EOL
4.1 KiB
Markdown
87 lines
No EOL
4.1 KiB
Markdown
# Policy Card Example for Access to Software Applications
|
|
|
|
- PolicyTitle: "Application access policy "
|
|
- RelevantStandardArticles: <tags> ISO27001:2022:A.5.15, ISO27001:2022:A.5.18
|
|
- VersionControl
|
|
- VersionNumber: 3.14
|
|
- VersionDate: 15-12-2024
|
|
- DocumentOwner: "Alex Hanover"
|
|
- ApprovedBy: "Marian Faithful" <signature>
|
|
- ApprovedDate: 08-01-2025
|
|
- NextReview: 15-12-2025
|
|
- Purpose
|
|
- Goal (in terms of risk mitigation): "To protect classified data from unauthorized access"
|
|
- Scope : "All applications in use within the organization" // E.g. organization as a whole vs. topic-specific: certain business activities, organizational units, or the implementation of specific controls. Also define Exemptions and Exceptions.
|
|
- RisksMitigated: "Unauthorized access to classified data" // outcome from the Risk Analysis activity
|
|
- ControlsImplemented: <tags> ISO27001:2022:5.15, ISO27001:2022:5.18
|
|
- Method
|
|
- Implementation ('How it's done'): "To mitigate the risk of X, controls A, B and C will be implemented on asset Y by Responsible Z. The effectiveness will be measured through P and will be evaluated by Q according to method R, following planning S."
|
|
- Metrics: "Number of users with unjustly granted access to each application, compared to the necessary access following from the Job Framework " (to establish effectiveness)
|
|
- Measurement: "The number of users with unjust access will be determined each quarter by HR, based on the current access matrix delivered by IT" // How, When, and By Whom
|
|
- Evaluation: "The effectiveness of the control will be evaluated quarterly by the Compliance Officer in a meeting with HR and IT" // How, When, and By Whom
|
|
- Reviews and Changes
|
|
- Review: "This policy will be reviewed yearly or if relevant and significant changes occur in the organization, in a meeting with the CISO, COO and Compliance Officer"
|
|
- Changes: "Changes to this policy will be prepared by the policy o"
|
|
- Responsibilities (for implementation and review)
|
|
- PolicyWriting: "IT consultant"
|
|
- PolicyApproval: "CISO"
|
|
- Implementation: "IT Administration dept."
|
|
- Documentation
|
|
- PolicyDocuments: <pointers>
|
|
- ProcedureDescriptions: <pointers>
|
|
- MeasurementReports: <pointers>
|
|
- EvaluationReports: <pointers>
|
|
|
|
## In JSON format
|
|
|
|
```
|
|
JSON
|
|
{
|
|
"PolicyTitle": "Application access policy",
|
|
"RelevantStandardArticles": [
|
|
"ISO27001:2022:5.15",
|
|
"ISO27001:2022:5.18"
|
|
],
|
|
"VersionControl": {
|
|
"VersionNumber": "3.14",
|
|
"VersionDate": "2024-12-15",
|
|
"DocumentOwner": "Alex Hanover",
|
|
"ApprovedBy": "Marian Faithful",
|
|
"ApprovedDate": "2025-01-08",
|
|
"NextReview": "2025-12-15"
|
|
},
|
|
"Purpose": {
|
|
"Goal": "To protect classified data from unauthorized access",
|
|
"Scope": "All applications in use within the organization",
|
|
"RisksMitigated": "Unauthorized access to classified data",
|
|
"ControlsImplemented": [
|
|
"ISO27001:2022:5.15",
|
|
"ISO27001:2022:5.18"
|
|
]
|
|
},
|
|
"Method": {
|
|
"Implementation": "To mitigate the risk of X, controls A, B and C will be implemented on asset Y by Responsible Z. The effectiveness will be measured through P and will be evaluated by Q according to method R, following planning S.",
|
|
"Metrics": "Number of users with unjustly granted access to each application, compared to the necessary access following from the Job Framework",
|
|
"Measurement": "The number of users with unjust access will be determined each quarter by HR, based on the current access matrix delivered by IT",
|
|
"Evaluation": "The effectiveness of the control will be evaluated quarterly by the Compliance Officer in a meeting with HR and IT"
|
|
},
|
|
"ReviewsAndChanges": {
|
|
"Review": "This policy will be reviewed yearly or if relevant and significant changes occur in the organization, in a meeting with the CISO, COO and Compliance Officer",
|
|
"Changes": "Changes to this policy will be prepared by the policy o",
|
|
"Responsibilities": {
|
|
"PolicyWriting": "IT consultant",
|
|
"PolicyApproval": "CISO",
|
|
"Implementation": "IT Administration dept."
|
|
}
|
|
},
|
|
"Documentation": {
|
|
"PolicyDocuments": [],
|
|
"ProcedureDescriptions": [],
|
|
"MeasurementReports": [],
|
|
"EvaluationReports": []
|
|
}
|
|
}
|
|
```
|
|
```JSON
|
|
|
|
``` |