Document Control and Review Policy
Policy
ISMS policies, standards, procedures, agreements, and supporting documents must be documented, available to responsible personnel, version controlled, and reviewed for appropriateness and currency.
Document Metadata
Every maintained ISMS document must include:
| Field | Requirement |
|---|---|
title | Human-readable document title |
owner | Accountable owner or role |
classification | Public, Internal, Confidential, or Restricted |
status | Draft, In Review, Approved, or Deprecated |
version | Version string updated when content changes |
last_reviewed | Most recent review date |
review_due | Next required review date |
iso_controls | ISO control mapping where applicable |
Review Cadence
- ISMS documents are reviewed at least annually.
- Documents are reviewed sooner after material changes to systems, services, roles, contracts, laws, incidents, audit findings, or risk posture.
- Reviews are tracked in
core12-isms-managementas document-review issues. - Content changes are made through pull requests so approval history remains attributable.
Approval
The Information Security Officer owns completeness and maintenance of the ISMS. Executive leadership approves the overall policy set and material risk acceptance. Document owners approve their assigned documents before publication.