4.1 KiB
4.1 KiB
Policy Card Example for Access to Software Applications
- PolicyTitle: "Application access policy "
- RelevantStandardArticles: ISO27001:2022:A.5.15, ISO27001:2022:A.5.18
- VersionControl
- VersionNumber: 3.14
- VersionDate: 15-12-2024
- DocumentOwner: "Alex Hanover"
- ApprovedBy: "Marian Faithful"
- ApprovedDate: 08-01-2025
- NextReview: 15-12-2025
- Purpose
- Goal (in terms of risk mitigation): "To protect classified data from unauthorized access"
- Scope : "All applications in use within the organization" // E.g. organization as a whole vs. topic-specific: certain business activities, organizational units, or the implementation of specific controls. Also define Exemptions and Exceptions.
- RisksMitigated: "Unauthorized access to classified data" // outcome from the Risk Analysis activity
- ControlsImplemented: ISO27001:2022:5.15, ISO27001:2022:5.18
- Method
- Implementation ('How it's done'): "To mitigate the risk of X, controls A, B and C will be implemented on asset Y by Responsible Z. The effectiveness will be measured through P and will be evaluated by Q according to method R, following planning S."
- Metrics: "Number of users with unjustly granted access to each application, compared to the necessary access following from the Job Framework " (to establish effectiveness)
- Measurement: "The number of users with unjust access will be determined each quarter by HR, based on the current access matrix delivered by IT" // How, When, and By Whom
- Evaluation: "The effectiveness of the control will be evaluated quarterly by the Compliance Officer in a meeting with HR and IT" // How, When, and By Whom
- Reviews and Changes
- Review: "This policy will be reviewed yearly or if relevant and significant changes occur in the organization, in a meeting with the CISO, COO and Compliance Officer"
- Changes: "Changes to this policy will be prepared by the policy o"
- Responsibilities (for implementation and review)
- PolicyWriting: "IT consultant"
- PolicyApproval: "CISO"
- Implementation: "IT Administration dept."
- Documentation
- PolicyDocuments:
- ProcedureDescriptions:
- MeasurementReports:
- EvaluationReports:
In JSON format
JSON
{
"PolicyTitle": "Application access policy",
"RelevantStandardArticles": [
"ISO27001:2022:5.15",
"ISO27001:2022:5.18"
],
"VersionControl": {
"VersionNumber": "3.14",
"VersionDate": "2024-12-15",
"DocumentOwner": "Alex Hanover",
"ApprovedBy": "Marian Faithful",
"ApprovedDate": "2025-01-08",
"NextReview": "2025-12-15"
},
"Purpose": {
"Goal": "To protect classified data from unauthorized access",
"Scope": "All applications in use within the organization",
"RisksMitigated": "Unauthorized access to classified data",
"ControlsImplemented": [
"ISO27001:2022:5.15",
"ISO27001:2022:5.18"
]
},
"Method": {
"Implementation": "To mitigate the risk of X, controls A, B and C will be implemented on asset Y by Responsible Z. The effectiveness will be measured through P and will be evaluated by Q according to method R, following planning S.",
"Metrics": "Number of users with unjustly granted access to each application, compared to the necessary access following from the Job Framework",
"Measurement": "The number of users with unjust access will be determined each quarter by HR, based on the current access matrix delivered by IT",
"Evaluation": "The effectiveness of the control will be evaluated quarterly by the Compliance Officer in a meeting with HR and IT"
},
"ReviewsAndChanges": {
"Review": "This policy will be reviewed yearly or if relevant and significant changes occur in the organization, in a meeting with the CISO, COO and Compliance Officer",
"Changes": "Changes to this policy will be prepared by the policy o",
"Responsibilities": {
"PolicyWriting": "IT consultant",
"PolicyApproval": "CISO",
"Implementation": "IT Administration dept."
}
},
"Documentation": {
"PolicyDocuments": [],
"ProcedureDescriptions": [],
"MeasurementReports": [],
"EvaluationReports": []
}
}