Legacy ISMS Migration Plan
Source Inventory Reviewed
The local ../legacy folder in core12-it-repos is currently empty. The usable legacy source set was found at /Users/taheny/repos/core12-it-fu-X/ISMS_Backup and duplicate OneDrive export paths.
Primary Source Choice
| Source | Decision |
|---|---|
General/Policies/Core 12 - Security Policy v1.8/Core 12 Security Policy - v1.8.docx | Primary ISMS policy basis. Most recent located version: revision 329, modified 2026-01-26. |
ISA_Submit/1.1.1/CORE 12 LLC - SECURITY POLICY_v1.6.docx | Older submitted copy. Keep only as audit history, not as the migration basis. |
General/Templates/Core 12 Agreements/Core 12 Employee Agreement.docx | Employee agreement source ported in full. |
ISA_Submit/1.2.2/Core 12 Employee Agreement.docx | Submitted duplicate; same internal metadata as template copy. |
Migration to core12-isms-management
| Legacy source area | Use in management repo | Target issue/register |
|---|---|---|
| Information Management Log spreadsheet | Seed live registers and review due dates | Assets, IT Services, Websites, Web Apps, Desktop Apps, Licences, Risks |
| IT Services reviews: Azure, Jira, Office 365 | Create service records with owner, MFA/SSO, supplier review, contract, RTO/RPO | register:itservices issues |
| Managed device reviews and disposal records | Create hardware/storage records, disposal evidence, inactive-device review tasks | register:assets issues |
| Client and digital project reviews | Create client service/project records and website/web application records | register:websites, register:webapps, register:itservices |
| Third party vendor reviews and agreements | Create vendor records with DPA/security review dates and agreement evidence | register:personnel with personnel:vendor, or add a dedicated vendor register if preferred |
| Employee policy review forms and agreements | Link signed acknowledgements to personnel records | register:personnel employee issues |
| Termination checklists | Attach or summarize completion evidence on closed personnel records | register:personnel review/termination issues |
| Facility access reviews | Track as facility/access review evidence and risks | Personnel review, asset review, or new facility review issue type |
| IT security training certificates | Track annual training completion by person and campaign | Personnel review issues; optional training campaign issue |
| IT weekly touchbase notes and quarterly IT reviews | Use as management-review and continual-improvement evidence | Monthly summary / management review issue |
| BCP DR plans and tabletop exercises | Create BCP records and annual tabletop review tasks | IT service review, risk review, and BCP tabletop issues |
| Security incident checklist/template | Preserve as incident/PIR workflow | register:incidents issues |
| Risk Register reference | Seed initial risk backlog | register:risks issues |
| Unauthorized Software reference | Seed approved/blocked desktop application records | register:desktopapps issues |
| Data Protection Measures reference | Use as checklist text in service/app/vendor review templates | IT service, app, website, vendor review issues |
| Vendor agreement clauses | Use as required vendor/security review checklist | Vendor and IT service issue templates |
First 10 Migration Actions
- Add
register:documents,migration:legacy-isms, andcontrol:gaplabels tocore12-isms-management. - Create a document-review issue for every Markdown document in this repo.
- Create service records for Microsoft 365, Azure, Jira, GitHub, Cloudflare, Jamf/Jamf Protect, Microsoft Defender, hosting providers, and backup/file-storage services.
- Create personnel records for active employees and contractors, linking signed agreements and annual policy reviews.
- Create vendor records for every third party with access to Core 12 or client data.
- Create web application and website records for active client and internal digital properties.
- Create initial risks from the Risk Register Seed List.
- Create BCP review tasks for ransomware, power outage, cloud service outage, and office inaccessibility scenarios.
- Convert termination/onboarding templates into personnel issue checklists or linked evidence records.
- Configure review reminder automation to open review issues in the management repo.
Open Gaps
- The local
core12-it-repos/legacydirectory should either be populated with the selected legacy source set or replaced by a README pointing to the canonical archive location. - Management repo currently has strong register templates but no document-review or migration-task template. Add those next.
- The existing management monthly summary reports empty registers; seed records are needed before summaries become useful.