ISMS Review Management Model
Goal
Use this repository for controlled ISMS documents and use core12-isms-management for action tracking, review evidence, and register records. The review system should be simple now and automation-friendly later.
Review Objects
| Object | Where it lives | Review trigger | Evidence |
|---|---|---|---|
| ISMS document | core12-isms Markdown | review_due frontmatter, material change, audit finding | GitHub issue and PR link |
| Asset | Management issue | Annual/quarterly schedule, ownership change, disposal | Asset review issue |
| IT service | Management issue | Quarterly/new service/material change | IT Service review issue |
| Client/digital project | Management issue | Quarterly/new project/material change | Website/web app/client review issue |
| Personnel/vendor | Management issue | Onboarding, annual review, termination, contract renewal | Personnel/vendor issue and signed agreement evidence |
| Risk | Management issue | Annual/quarterly schedule, incident, new service/project | Risk review issue |
| Incident | Management issue | As reported | Incident and PIR issues |
Minimum Workflow
- Document owner reviews policy/procedure content in this repo.
- If no content change is needed, open a document-review issue in
core12-isms-management, record "no content change", and updatelast_reviewed/review_dueby PR. - If content changes are needed, update the Markdown document, open a PR, link the review issue, and update metadata.
- If the review identifies an operational gap, open or update a risk, asset, service, personnel, vendor, or migration issue in
core12-isms-management. - Monthly summary automation reports reviews due, overdue records, incidents, and high risks.
Automation Direction
- Use frontmatter in this repo as the document-review source.
- Use issue labels and project fields in
core12-isms-managementas the operational source. - Add
register:documentsandmigration:legacy-ismslabels to management repo. - Have the review-reminder workflow create document-review issues in
core12-isms-managementusing a token with access to that repo. - Generate monthly summaries from the management repo, not from static files.