From 935cae67e51b228b32c33dff2d1d16258d4452b0 Mon Sep 17 00:00:00 2001 From: tegwick Date: Fri, 3 Oct 2025 00:39:10 +0200 Subject: [PATCH] docs: added templates for usecase experiments --- examples/TEMPLATE-ARC42.md | 217 ++++++++++++++++ examples/TEMPLATE-ISO14001.md | 342 ++++++++++++++++++++++++++ examples/TEMPLATE-ISO27001-ISMS.md | 383 +++++++++++++++++++++++++++++ examples/TEMPLATE-ISO9001.md | 241 ++++++++++++++++++ 4 files changed, 1183 insertions(+) create mode 100644 examples/TEMPLATE-ARC42.md create mode 100644 examples/TEMPLATE-ISO14001.md create mode 100644 examples/TEMPLATE-ISO27001-ISMS.md create mode 100644 examples/TEMPLATE-ISO9001.md diff --git a/examples/TEMPLATE-ARC42.md b/examples/TEMPLATE-ARC42.md new file mode 100644 index 00000000..68e14e2e --- /dev/null +++ b/examples/TEMPLATE-ARC42.md @@ -0,0 +1,217 @@ +# Software Architecture Documentation (arc42) + +## About this document +**Purpose.** This document follows the **arc42** template to describe, communicate, and evolve the architecture of the system in a clear, lightweight, and practical way. For background on arc42, see the official overview and documentation. + +--- + +## 1. Introduction and Goals +Briefly explains why the system exists and which forces shape the architecture (business goals, functional scope, quality goals, stakeholders). +**Add your content here…** + +### 1.1 Requirements Overview +Summarize key functional requirements or link to your product/backlog sources; keep this concise and focused on what drives architecture. +**Add your content here…** + +### 1.2 Quality Goals +Capture 3–5 top quality attributes (e.g., performance, security, evolvability) that guide trade-offs and decisions. +**Add your content here…** + +### 1.3 Stakeholders +List stakeholders (roles, responsibilities, concerns) whose needs the architecture must satisfy. +**Add your content here…** + +--- + +## 2. Architecture Constraints +Record constraints (technical, organizational, legal, standards, runtime environments, toolchains) that restrict options and influence design. +**Add your content here…** + +--- + +## 3. System Scope and Context +Defines what’s in/out of scope and how the system interacts with its environment (users, neighboring systems, external services). +**Add your content here…** + +### 3.1 Business Context +Show business actors, interactions, and the value exchange; describe business-level inputs/outputs. +**Add your content here…** + +### 3.2 Technical Context +Show technical interfaces, protocols, data formats, and integration endpoints between the system and external systems. +**Add your content here…** + +--- + +## 4. Solution Strategy +Summarize the key architecture approach: principal patterns, frameworks, major decisions, and the rationale linked to goals and constraints. +**Add your content here…** + +--- + +## 5. Building Block View +Explains the static decomposition of the system into building blocks (modules/components/subsystems), their responsibilities, and dependencies—the “floor plan”. +**Add your content here…** + +### 5.1 Level 1 – System/Top-Level +Show the top-level breakdown into major subsystems or layers and how they collaborate. +**Add your content here…** + +### 5.2 Level 2 – Key Components +Zoom into one or more subsystems from 5.1 and present their main components and relationships. +**Add your content here…** + +### 5.3 Level 3 – Internal Structure (as needed) +Detail important components (data structures, classes, packages) when necessary for understanding or change. +**Add your content here…** + +--- + +## 6. Runtime View +Describes significant scenarios to illustrate behavior and interactions of building blocks (sequence/flow, error paths, non-functional aspects). +**Add your content here…** + +### 6.x Scenario +State context, triggers, participating blocks, message/interaction flow, and notable variations. +**Add your content here…** + +--- + +## 7. Deployment View +Maps software artifacts to infrastructure (nodes, regions, runtime platforms), including redundancy, scaling, and operational concerns. +**Add your content here…** + +### 7.1 Infrastructure Overview +Present environments (dev/test/stage/prod), regions/zones, and high-level topology. +**Add your content here…** + +### 7.2 Deployment Mapping +Describe which artifacts run where; capture capacity, sizing assumptions, and elasticity. +**Add your content here…** + +### 7.3 Cross-Environment Differences +List relevant differences (configs, data stores, integrations, security postures). +**Add your content here…** + +--- + +## 8. Cross-Cutting Concepts +Central rules & approaches that apply across the system (domain model, architecture patterns, security, logging, error handling, configuration, i18n, etc.). +**Add your content here…** + +### 8.1 Domain & Data +Share ubiquitous language, key domain concepts, data ownership, and data lifecycle. +**Add your content here…** + +### 8.2 Security +Threat model highlights, authn/authz, secrets handling, crypto, secure defaults. +**Add your content here…** + +### 8.3 Observability & Operations +Logging, metrics, tracing, health checks, dashboards, incident response hooks. +**Add your content here…** + +### 8.4 Error Handling & Resilience +Policies for retries, timeouts, backoff, circuit breakers, idempotency. +**Add your content here…** + +### 8.5 Configuration & Feature Flags +How configuration is structured, validated, and delivered; flag strategy. +**Add your content here…** + +### 8.6 Performance & Caching +Hot paths, caching layers, data locality, performance budgets and profiles. +**Add your content here…** + +### 8.7 Code & API Guidelines +Language/framework idioms, API style (REST/gRPC/GraphQL), versioning and compatibility rules. +**Add your content here…** + +### 8.8 Compliance & Data Protection +Relevant standards/regulations (e.g., ISO, GDPR), data retention, audit trails. +**Add your content here…** + +--- + +## 9. Architecture Decisions +A log of significant decisions (ADRs): context, options considered, decision, consequences, status (proposed/accepted/superseded). +**Add your content here…** + +--- + +## 10. Quality Requirements +Elaborate quality scenarios (stimulus → response measure) tied to the goals in 1.2, including measurable acceptance criteria. +**Add your content here…** + +### 10.1 Quality Tree +Visualize quality attributes and their refinements to orient priorities. +**Add your content here…** + +### 10.2 Quality Scenarios +Concrete scenarios per attribute (e.g., “Under X load, 95th-pct latency ≤ Y ms”). +**Add your content here…** + +--- + +## 11. Risks and Technical Debt +List key risks, assumptions, unknowns, and consciously accepted debt with mitigation/retirement plans. +**Add your content here…** + +--- + +## 12. Glossary +Define important domain and technical terms to ensure a shared vocabulary; add abbreviations and acronyms. +**Add your content here…** + +--- + +## 13. Best-Practice Requirements & Quality Checklist +Use these requirements to review and keep the document—and architecture—healthy over time. + +### 13.1 Structural Completeness +- **All 12 arc42 chapters present or explicitly marked “N/A” with rationale.** + **Add your content here…** +- **Each section starts with a purpose blurb and ends with concrete, current content or a tracked TODO.** + **Add your content here…** +- **Cross-references link related content (e.g., 4 ↔ 5/8, 1.2 ↔ 10).** + **Add your content here…** + +### 13.2 Consistency & Traceability +- **Every major decision in 4 is backed by ADRs in 9 and aligned with 1.2/10.** + **Add your content here…** +- **Interfaces in 3.2 are consistent with components in 5 and scenarios in 6.** + **Add your content here…** +- **Deployment (7) matches runtime needs (6) and non-functional drivers (10).** + **Add your content here…** + +### 13.3 Quality & Measurability +- **Quality goals (1.2) translated into measurable scenarios (10.2) with thresholds.** + **Add your content here…** +- **Operational SLOs/SLIs defined and observable (8.3) and tied to alerts/dashboards.** + **Add your content here…** + +### 13.4 Risk & Debt Management +- **Top risks ranked with mitigations, owners, and review cadence (11).** + **Add your content here…** +- **Technical debt items carry impact, “pay-down” trigger, and target release.** + **Add your content here…** + +### 13.5 Security & Compliance Hygiene +- **Threat model snapshot exists; controls mapped (8.2).** + **Add your content here…** +- **Data protection & retention addressed; lawful bases documented (8.8).** + **Add your content here…** + +### 13.6 Evolution & Maintainability +- **Document is versioned; changes tracked with changelog and ADR status updates.** + **Add your content here…** +- **Architecture fitness checks (e.g., lightweight ATAM or quality scenario tests) scheduled.** + **Add your content here…** +- **Diagrams are living (source-controlled), with legend, date, and level of detail.** + **Add your content here…** + +### 13.7 Fitness-for-Purpose Read-Through +- **One-page executive summary aligns with goals and constraints.** + **Add your content here…** +- **A new team member can understand system scope (3), big picture (5.1), and how to run it (7) within 60 minutes.** + **Add your content here…** diff --git a/examples/TEMPLATE-ISO14001.md b/examples/TEMPLATE-ISO14001.md new file mode 100644 index 00000000..bf2c69c6 --- /dev/null +++ b/examples/TEMPLATE-ISO14001.md @@ -0,0 +1,342 @@ +# ISO 14001 Environmental Management System (EMS) – Master Template + +> **How to use this file:** +> Each chapter and section begins with a brief purpose statement. Replace the placeholder line after each with your organization’s content. + +--- + +## 0. Introduction +This introductory chapter explains the purpose, scope, and audience of your Environmental Management System (EMS) documentation and how it maps to ISO 14001. It also outlines document ownership and maintenance. +**Add your content here...** + +### 0.1 Organization Overview +Provide a concise overview of the organization, key activities, products/services, sites, and significant environmental interactions. +**Add your content here...** + +### 0.2 EMS Purpose & Objectives +Summarize why you’re implementing the EMS and the strategic objectives it should achieve (compliance, risk reduction, performance, stakeholder trust). +**Add your content here...** + +### 0.3 Document Control & Ownership +Describe how this document is controlled, updated, approved, and distributed within your organization. +**Add your content here...** + +--- + +## 1. Scope (Clause 1) +Define the boundaries and applicability of the EMS, including sites, functions, and activities covered. +**Add your content here...** + +--- + +## 2. Normative References (Clause 2) +List any normative references that are indispensable for applying ISO 14001 in your context (usually the standard itself). +**Add your content here...** + +--- + +## 3. Terms and Definitions (Clause 3) +Clarify key terms to ensure a consistent understanding across the organization (e.g., environmental aspect, impact, compliance obligation). +**Add your content here...** + +--- + +## 4. Context of the Organization (Clause 4) +Explain your organization’s internal and external context and what is material for your EMS to succeed. +**Add your content here...** + +### 4.1 Understanding the Organization and its Context (4.1) +Identify internal/external issues that can affect intended EMS outcomes (market, technology, climate, culture, infrastructure). +**Add your content here...** + +### 4.2 Understanding the Needs and Expectations of Interested Parties (4.2) +Determine relevant stakeholders (regulators, customers, neighbors, NGOs, employees) and their EMS-relevant requirements. +**Add your content here...** + +### 4.3 Determining the Scope of the EMS (4.3) +State the EMS scope—what’s included/excluded and why—aligned with operations and environmental aspects. +**Add your content here...** + +### 4.4 Environmental Management System (4.4) +Describe how the EMS is established, implemented, maintained, and continually improved. +**Add your content here...** + +--- + +## 5. Leadership (Clause 5) +Demonstrate top management’s leadership and commitment to the EMS and environmental performance. +**Add your content here...** + +### 5.1 Leadership and Commitment (5.1) +Show how leadership integrates the EMS with business processes, allocates resources, and promotes continual improvement. +**Add your content here...** + +### 5.2 Environmental Policy (5.2) +Define and communicate an environmental policy appropriate to purpose, including commitments to protection of the environment, compliance obligations, and continual improvement. +**Add your content here...** + +### 5.3 Organizational Roles, Responsibilities and Authorities (5.3) +Clarify EMS roles, responsibilities, authorities, and reporting lines (including top management). +**Add your content here...** + +--- + +## 6. Planning (Clause 6) +Plan actions to address risks and opportunities, environmental aspects, compliance obligations, and objectives. +**Add your content here...** + +### 6.1 Actions to Address Risks and Opportunities (6.1) +Outline your risk-based thinking—identifying, assessing, prioritizing, and addressing EMS risks/opportunities. +**Add your content here...** + +#### 6.1.1 General (6.1.1) +Summarize your overall approach to identifying risks/opportunities that can affect intended EMS outcomes. +**Add your content here...** + +#### 6.1.2 Environmental Aspects (6.1.2) +Identify environmental aspects and significant impacts across a **life-cycle perspective** (design, procurement, operations, logistics, use, end-of-life). Explain criteria for significance. +**Add your content here...** + +#### 6.1.3 Compliance Obligations (6.1.3) +Identify applicable legal and other requirements; describe how you evaluate and keep them up to date. +**Add your content here...** + +#### 6.1.4 Planning Action (6.1.4) +Define actions to address significant aspects, compliance obligations, and risks/opportunities; integrate with operations and controls. +**Add your content here...** + +### 6.2 Environmental Objectives and Planning to Achieve Them (6.2) +Set measurable objectives aligned with policy and aspects, and plan resources, responsibilities, timelines, and evaluation methods. +**Add your content here...** + +--- + +## 7. Support (Clause 7) +Provide and manage resources, competence, awareness, communication, and documented information needed for the EMS. +**Add your content here...** + +### 7.1 Resources (7.1) +Describe financial, human, infrastructure, and technological resources allocated to the EMS. +**Add your content here...** + +### 7.2 Competence (7.2) +Define competence requirements, training plans, and effectiveness evaluation for EMS roles. +**Add your content here...** + +### 7.3 Awareness (7.3) +Ensure personnel are aware of policy, significant aspects/impacts, their contributions, and the implications of nonconformity. +**Add your content here...** + +### 7.4 Communication (7.4) +Establish internal and external communication processes—what, when, with whom, and how (including response protocols). +**Add your content here...** + +### 7.5 Documented Information (7.5) +Control EMS documented information (creation, update, control, access, retention) including records and procedures. +**Add your content here...** + +--- + +## 8. Operation (Clause 8) +Plan, implement, and control operational processes consistent with EMS planning and the life-cycle perspective. +**Add your content here...** + +### 8.1 Operational Planning and Control (8.1) +Define operational controls (procedures, criteria, technology) to manage significant aspects and achieve objectives, including outsourced processes and supplier controls. +**Add your content here...** + +#### 8.1.a Design and Development Controls (Life-Cycle Perspective) +Address environmental requirements in design and development and communicate relevant requirements to suppliers/contractors and downstream actors. +**Add your content here...** + +#### 8.1.b Procurement and Outsourced Processes +Integrate environmental criteria into purchasing and control of external providers/contractors. +**Add your content here...** + +#### 8.1.c Emergency Preparedness and Response (8.2) +Plan for environmental emergencies (spill, release, fire, flood), test plans, and review performance after incidents. +**Add your content here...** + +--- + +## 9. Performance Evaluation (Clause 9) +Monitor, measure, analyze, and evaluate EMS performance, including compliance, audits, and management review. +**Add your content here...** + +### 9.1 Monitoring, Measurement, Analysis and Evaluation (9.1) +Define indicators, methods, calibration, and evaluation for environmental performance and EMS effectiveness. +**Add your content here...** + +#### 9.1.2 Evaluation of Compliance (9.1.2) +Describe processes to evaluate legal/other compliance, retain evidence, and address noncompliance. +**Add your content here...** + +### 9.2 Internal Audit (9.2) +Plan and conduct audits to verify EMS conformity and effectiveness; define criteria, scope, frequency, and reporting. +**Add your content here...** + +### 9.3 Management Review (9.3) +Top management periodically reviews EMS suitability, adequacy, effectiveness, and alignment with strategy; record decisions and actions. +**Add your content here...** + +--- + +## 10. Improvement (Clause 10) +Address nonconformities, implement corrective actions, and drive continual improvement of EMS performance. +**Add your content here...** + +### 10.1 General (10.1) +Outline your continual improvement approach (projects, programs, innovation, culture). +**Add your content here...** + +### 10.2 Nonconformity and Corrective Action (10.2) +Define how nonconformities are recorded, causes analyzed, corrective actions implemented, and effectiveness verified. +**Add your content here...** + +### 10.3 Continual Improvement (10.3) +Describe mechanisms to identify opportunities and deliver measurable improvements over time. +**Add your content here...** + +--- + +## A. Environmental Aspect & Impact Register (Annexed Artifact) +Provide a structured register of aspects/impacts, significance criteria, controls, and monitoring. +**Add your content here...** + +--- + +## B. Compliance Obligations Register (Annexed Artifact) +Maintain a register of applicable legal and other requirements, responsibilities, and compliance status. +**Add your content here...** + +--- + +## C. Objectives, Targets & Programs Matrix (Annexed Artifact) +Track objectives, targets, action plans, owners, timelines, and KPIs. +**Add your content here...** + +--- + +## D. Operational Controls & Procedures Index (Annexed Artifact) +Index controlled procedures (operations, maintenance, waste, energy, chemicals, transport, contractors). +**Add your content here...** + +--- + +## E. Emergency Preparedness & Response Plan (Annexed Artifact) +Document emergency scenarios, roles, training, drills, equipment, and post-incident review. +**Add your content here...** + +--- + +## F. Monitoring & Measurement Plan (Annexed Artifact) +List indicators, methods, frequency, responsibilities, and records (e.g., energy, water, emissions, waste). +**Add your content here...** + +--- + +## G. Internal Audit Program & Reports (Annexed Artifact) +Define annual audit program, auditor competence/independence, reports, and follow-up actions. +**Add your content here...** + +--- + +## H. Management Review Records (Annexed Artifact) +Capture inputs, decisions, and actions from management reviews; link to objectives and resourcing. +**Add your content here...** + +--- + +## I. Competence, Training & Awareness Records (Annexed Artifact) +Maintain role-based competence requirements, training plans, and effectiveness evidence. +**Add your content here...** + +--- + +## J. Communication Plan & Logs (Annexed Artifact) +Track internal/external communications, stakeholder engagement, disclosures, and feedback handling. +**Add your content here...** + +--- + +# Final Chapter — Best-Practice Requirements Checklist (for Quality Review) + +Use this checklist after drafting to self-assess EMS document quality and implementation readiness. + +1. **Clear EMS Scope & Boundaries** + EMS scope explicitly covers relevant sites, activities, and functions; exclusions are justified. + **Add your content here...** + +2. **Material Context & Stakeholders** + Context analysis identifies material issues; interested parties and their requirements are mapped to controls and objectives. + **Add your content here...** + +3. **Leadership Evidence** + Policy is signed, communicated, and embedded; roles/authorities are defined; resources are demonstrably allocated. + **Add your content here...** + +4. **Life-Cycle Perspective Integrated** + Aspect/impact evaluations consider upstream (suppliers), core operations, and downstream (use/end-of-life); design and procurement criteria reflect environmental requirements. + **Add your content here...** + +5. **Risk-Based Planning** + Significant aspects, compliance obligations, and risks/opportunities drive actionable plans with owners, timelines, and metrics. + **Add your content here...** + +6. **SMART Objectives with KPIs** + Objectives are Specific, Measurable, Achievable, Relevant, Time-bound; KPIs and baselines are defined; progress routines exist. + **Add your content here...** + +7. **Operational Controls Effective** + Procedures/criteria exist for significant aspects, contractors/outsourcing, and changes; evidence of control and competence is retained. + **Add your content here...** + +8. **Emergency Preparedness Tested** + Realistic scenarios, periodic drills, post-incident reviews, and improvements are documented. + **Add your content here...** + +9. **Monitoring & Data Integrity** + Indicators, methods, and calibration are defined; data quality and traceability are ensured; analysis informs decisions. + **Add your content here...** + +10. **Compliance Evaluation Working** + Legal register is current; evaluations are scheduled and recorded; noncompliance triggers corrective actions. + **Add your content here...** + +11. **Internal Audits Add Value** + Risk-based audit program; competent, independent auditors; findings tracked to closure; trends analyzed. + **Add your content here...** + +12. **Management Review Drives Action** + Inputs cover performance, risks, opportunities, resources, and stakeholder feedback; outputs include decisions and assignments. + **Add your content here...** + +13. **Corrective Action is Root-Cause Driven** + Nonconformities include cause analysis, effective actions, verification, and learning capture. + **Add your content here...** + +14. **Competence & Awareness Demonstrated** + Role-based competency matrices, targeted training, and effectiveness checks exist; awareness is evidenced. + **Add your content here...** + +15. **Communication is Proactive & Transparent** + Internal and external communication plans exist; material disclosures are accurate, timely, and consistent. + **Add your content here...** + +16. **Documented Information is Controlled** + Versioning, access, retention, and retrieval are defined and effective (including records and evidence). + **Add your content here...** + +17. **Continual Improvement Culture** + Improvement pipeline (ideas → actions → benefits) is tracked; results are measured and shared. + **Add your content here...** + +18. **Alignment with Business Strategy & Climate Considerations** + EMS objectives align with corporate goals; climate-related risks/opportunities and resilience are considered per current guidance. + **Add your content here...** + +--- + +## Appendix: Cross-Reference Map (ISO 14001 ↔ This Document) +Provide a simple table mapping each ISO 14001 clause/subclause to the chapter/section in this file for easy audit navigation. +**Add your content here...** diff --git a/examples/TEMPLATE-ISO27001-ISMS.md b/examples/TEMPLATE-ISO27001-ISMS.md new file mode 100644 index 00000000..84e44287 --- /dev/null +++ b/examples/TEMPLATE-ISO27001-ISMS.md @@ -0,0 +1,383 @@ +# ISO/IEC 27001:2022 – ISMS Documentation Template + +> Version: 1.0 • Generated: 2025-10-02 21:59 • Standard reference: ISO/IEC 27001:2022 + +## 0. Introduction + +This document is a comprehensive template to help you establish, implement, maintain, and continually improve an Information Security Management System (ISMS) aligned to ISO/IEC 27001:2022. Each chapter begins with a short explanation of its purpose, followed by placeholders for your content. + +Add your content here... + +--- + +## 1. Purpose & Scope of this Document + +This section explains why this ISMS manual exists and which parts of the organization and operations it covers (documents included/excluded). It also outlines how this document relates to supporting procedures and records. + +Add your content here... + +### 1.1 Intended Audience +Explain who should read and use this document (management, ISMS team, auditors, all staff, suppliers). + +Add your content here... + +### 1.2 How to Use this Template +Provide guidance for authors, approvers, and reviewers on how to complete each section and keep it current. + +Add your content here... + +--- + +## 2. Normative References (Clause 2) + +List standards and documents referenced by the ISMS (e.g., ISO/IEC 27000 family, legal/regulatory sources) that are indispensable for its application. + +Add your content here... + +--- + +## 3. Terms & Definitions (Clause 3) + +Define key terms used in this manual for clarity and consistency. Reference ISO/IEC 27000 glossary where applicable. + +Add your content here... + +--- + +# Core Requirements (Clauses 4–10) + +> Clauses 4–10 contain the auditable requirements for ISO/IEC 27001:2022. Use these sections to demonstrate conformity in both design and effectiveness. + +## 4. Context of the Organization (Clause 4) + +Establish the organizational context in which the ISMS operates, including internal/external issues, stakeholders, and ISMS boundaries. + +Add your content here... + +### 4.1 Understanding the Organization and its Context (4.1) +Identify relevant internal and external issues that affect the ISMS’s intended outcomes (strategic, technological, legal, environmental, socio-economic). + +Add your content here... + +### 4.2 Understanding the Needs and Expectations of Interested Parties (4.2) +Identify stakeholders (e.g., customers, regulators, employees, suppliers) and their relevant information security requirements. + +Add your content here... + +### 4.3 Determining the Scope of the ISMS (4.3) +Define ISMS scope (locations, assets, processes, technologies), interfaces and dependencies. Justify inclusions/exclusions. + +Add your content here... + +### 4.4 ISMS and its Processes (4.4) +Describe the ISMS processes, their inputs/outputs, interactions, and criteria for effective operation and control. + +Add your content here... + +--- + +## 5. Leadership (Clause 5) + +Demonstrate leadership and commitment to the ISMS, define policy and roles, and ensure responsibilities and authorities are assigned and communicated. + +Add your content here... + +### 5.1 Leadership and Commitment (5.1) +Describe how top management leads, provides resources, integrates ISMS requirements with business processes, and promotes continual improvement. + +Add your content here... + +### 5.2 Information Security Policy (5.2) +State the policy framework, its alignment with strategic direction, availability to interested parties, and review cadence. + +Add your content here... + +### 5.3 Organizational Roles, Responsibilities and Authorities (5.3) +Define roles (e.g., ISMS Manager, Risk Owner, Control Owners), responsibilities, authorities, and reporting lines. + +Add your content here... + +--- + +## 6. Planning (Clause 6) + +Plan actions to address risks and opportunities, establish information security objectives, and plan their achievement. + +Add your content here... + +### 6.1 Actions to Address Risks and Opportunities (6.1) +Explain your risk management methodology (criteria, likelihood/impact scales, acceptance criteria), treatment options, and linkage to controls (Annex A). Include legal/regulatory considerations. + +Add your content here... + +#### 6.1.2 Information Security Risk Assessment (6.1.2) +Describe the risk assessment process, frequency, triggers, and records. + +Add your content here... + +#### 6.1.3 Information Security Risk Treatment (6.1.3) +Describe how treatments are selected, justified, implemented, and tracked; reference Statement of Applicability (SoA). + +Add your content here... + +### 6.2 Information Security Objectives and Planning to Achieve Them (6.2) +Define measurable objectives (KPIs/KRIs), owners, targets, timelines, and plans for achieving them. + +Add your content here... + +--- + +## 7. Support (Clause 7) + +Detail resources, competencies, awareness, communications, and documented information needed to operate the ISMS. + +Add your content here... + +### 7.1 Resources (7.1) +Identify people, technology, budget, and partner resources required for ISMS effectiveness. + +Add your content here... + +### 7.2 Competence (7.2) +Document competence requirements, training plans, certifications, and evaluation methods. + +Add your content here... + +### 7.3 Awareness (7.3) +Define awareness topics, frequency, onboarding/offboarding coverage, and measurement. + +Add your content here... + +### 7.4 Communication (7.4) +Describe internal/external communication plans (what, when, by whom, channels) related to the ISMS. + +Add your content here... + +### 7.5 Documented Information (7.5) +Explain document/record control: creation, approval, change control, retention, access, format, and protection. + +Add your content here... + +--- + +## 8. Operation (Clause 8) + +Plan, implement, and control ISMS operational processes, including risk treatment and change management, and manage information security incidents. + +Add your content here... + +### 8.1 Operational Planning and Control (8.1) +Describe how operational processes meet ISMS requirements and control planned changes. + +Add your content here... + +### 8.2 Information Security Risk Assessment (Operational) (8.2) +Explain how you perform risk assessments when changes occur or at defined intervals. + +Add your content here... + +### 8.3 Information Security Risk Treatment (Operational) (8.3) +Describe how selected controls are implemented, verified, and maintained in operation. + +Add your content here... + +--- + +## 9. Performance Evaluation (Clause 9) + +Evaluate ISMS performance via monitoring, measurement, analysis, internal audit, and management review. + +Add your content here... + +### 9.1 Monitoring, Measurement, Analysis and Evaluation (9.1) +Set metrics/KPIs, methods, frequency, responsibilities, and evaluation criteria. + +Add your content here... + +### 9.2 Internal Audit (9.2) +Define audit program, criteria, scope, frequency, auditor independence, reporting, and follow-up. + +Add your content here... + +### 9.3 Management Review (9.3) +Outline inputs (status of actions, changes, risks, opportunities, performance, incidents) and outputs (decisions, actions, resources). + +Add your content here... + +--- + +## 10. Improvement (Clause 10) + +Drive continual improvement and address nonconformities with corrective actions. + +Add your content here... + +### 10.1 Continual Improvement (10.1) +Explain how improvement opportunities are identified, prioritized, and implemented. + +Add your content here... + +### 10.2 Nonconformity and Corrective Action (10.2) +Describe how you react to nonconformities, evaluate causes, implement and review corrective actions, and update risks/controls. + +Add your content here... + +--- + +# Annex A Controls & Statement of Applicability + +> ISO/IEC 27001:2022 Annex A lists 93 controls grouped into four themes. Use this section to map your selected controls and justify inclusions/exclusions in the Statement of Applicability (SoA). + +## A.0 Overview & Control Selection Method + +Summarize your control selection approach: mapping from risks and legal/contractual requirements to Annex A controls and additional controls where needed. + +Add your content here... + +## A.1 Organisational Controls + +Describe organizational-level controls (policies, governance, supplier management, asset management, incident management, etc.). Provide references to procedures and tooling. + +Add your content here... + +## A.2 People Controls + +Describe people-focused controls (screening, terms of employment, awareness, discipline, responsibilities, remote work). + +Add your content here... + +## A.3 Physical Controls + +Describe physical security controls (secure areas, entry controls, equipment protection, environmental threats, media handling). + +Add your content here... + +## A.4 Technological Controls + +Describe technology controls (access control, cryptography, logging/monitoring, backup, network/application security, secure development, vulnerability management). + +Add your content here... + +## A.SoA Statement of Applicability + +Present a table of all applicable Annex A controls with status (Applied/Not Applied), justification, implementation reference, and verification method. + +Add your content here... + +--- + +# Risk Management & Asset Foundations (Supporting Sections) + +## R.1 Information Assets & Owners + +Establish an inventory of information assets, owners, classification, lifecycle, and protection requirements. + +Add your content here... + +## R.2 Risk Register + +Maintain identified risks, assessments, decisions, treatments, residual risks, and review dates. + +Add your content here... + +## R.3 Legal, Regulatory, and Contractual Obligations + +Track applicable laws, regulations, certifications, customer commitments, and how the ISMS fulfills them. + +Add your content here... + +## R.4 Business Continuity & Disaster Recovery Alignment + +Describe how ISMS integrates with BC/DR planning, including RTO/RPO, exercises, and lessons learned. + +Add your content here... + +--- + +# Policies, Procedures, and Records Index + +Provide a living index of ISMS policies, standards, procedures, guidelines, and records with owners and locations. + +Add your content here... + +--- + +# Appendices + +## Appx A. Document Control Log +Track versions, authors, approvers, change descriptions, and dates. + +Add your content here... + +## Appx B. Training & Awareness Records +Summaries or links to records for competence and awareness activities. + +Add your content here... + +## Appx C. Audit & Review Evidence +Summaries or links to internal audits, management reviews, and KPI dashboards. + +Add your content here... + +--- + +# Best Practice Requirements Checklist (Quality Gate) + +Use this checklist as acceptance criteria to review the quality and completeness of this ISMS manual and its supporting evidence. + +- **Alignment with ISO/IEC 27001:2022 Clauses 4–10**: Each clause section is completed with organization-specific content, evidence pointers, and responsibilities. + Add your content here... +- **Risk-Based Control Selection**: Risk methodology defined; risks traced to treatments; SoA includes justification for each control. + Add your content here... +- **Annex A Coverage**: All 4 themes considered; applicable controls implemented or justified; references to procedures, tooling, and records. + Add your content here... +- **Measurable Objectives (6.2 & 9.1)**: Objectives are specific, measurable, time-bound; metrics and evaluation methods defined. + Add your content here... +- **Management Commitment (5.1)**: Evidence of leadership involvement (resources, integration with business, improvement actions). + Add your content here... +- **Policy Framework (5.2 & 7.5)**: Policy approved, communicated, versioned; document control applied consistently. + Add your content here... +- **Defined Roles & Competence (5.3 & 7.2)**: Roles, responsibilities, and required competencies documented; training plans and records exist. + Add your content here... +- **Operational Control (8.1–8.3)**: Change management, risk assessment on change, and risk treatment in operation are defined and evidenced. + Add your content here... +- **Incident Management & Learning**: Incident response defined; logs/monitoring support detection; post-incident reviews feed continual improvement. + Add your content here... +- **Audit & Management Review (9.2 & 9.3)**: Audit program executed; findings tracked; management reviews held with decisions and actions recorded. + Add your content here... +- **Continual Improvement (10.1)**: Improvement pipeline maintained; actions prioritized by risk/impact; outcomes measured. + Add your content here... +- **Corrective Action (10.2)**: Root cause analysis performed; corrective actions verified for effectiveness; risks/controls updated. + Add your content here... +- **Legal/Regulatory Mapping**: Obligations identified with controls/evidence mapped; updates monitored. + Add your content here... +- **Supplier & Outsourcing Controls**: Supplier risk assessment and monitoring defined; contracts include security clauses; evidence available. + Add your content here... +- **BC/DR Integration**: ISMS aligns with business continuity; exercises conducted; lessons learned tracked. + Add your content here... +- **Asset Inventory & Classification**: Asset owners, classifications, and handling rules documented and enforced. + Add your content here... +- **Access Control & Identity Management**: Joiner/mover/leaver processes, least privilege, MFA, and periodic reviews in place. + Add your content here... +- **Secure Development & Change**: SDLC integrates security; code review, testing, vulnerability management defined. + Add your content here... +- **Logging, Monitoring & Response**: Logging scope, retention, analysis, and alerting defined; response runbooks tested. + Add your content here... +- **Cryptography & Key Management**: Policies and procedures for algorithm choices, key lifecycles, and escrow defined. + Add your content here... + +--- + +## Document Approval + +- **Owner:** + Add your content here... +- **Reviewed by:** + Add your content here... +- **Approved by:** + Add your content here... +- **Effective date:** + Add your content here... +- **Next review date:** + Add your content here... + diff --git a/examples/TEMPLATE-ISO9001.md b/examples/TEMPLATE-ISO9001.md new file mode 100644 index 00000000..06a5d40e --- /dev/null +++ b/examples/TEMPLATE-ISO9001.md @@ -0,0 +1,241 @@ +# ISO 9001 Quality Management System — Documentation Template (Markdown) + +## 0. Introduction +This section explains why the organization uses ISO 9001, outlines the process approach and risk-based thinking, and describes how this QMS document set is structured and maintained over time. Add your content here... + +## 1. Scope +Define the boundaries and applicability of your QMS: products/services covered, sites, functions, and any justified exclusions allowed by the standard. Add your content here... + +## 2. Normative References +List referenced standards and documents essential to interpreting these requirements (e.g., ISO 9000 for fundamentals and vocabulary). Add your content here... + +## 3. Terms and Definitions +Provide definitions (or references) for terms used in this document set to ensure consistent interpretation across the organization. Add your content here... + +--- + +## 4. Context of the Organization +Explain the organization’s environment and how it affects the QMS design. + +### 4.1 Understanding the Organization and Its Context +Identify internal and external issues (e.g., market, regulatory, technological, environmental, and **climate-related** factors) relevant to strategic direction and QMS outcomes. Add your content here... + +### 4.2 Understanding the Needs and Expectations of Interested Parties +Determine relevant interested parties (customers, regulators, owners, employees, suppliers, community, etc.) and their pertinent requirements. Add your content here... + +### 4.3 Determining the Scope of the QMS +State the QMS scope with rationale for any exclusions to Clause 8, ensuring they don’t affect the ability to provide conforming products/services. Add your content here... + +### 4.4 QMS and Its Processes +Describe the process landscape, sequence/interactions, inputs/outputs, criteria/controls, resources, risks/opportunities, and methods to measure and improve processes. Add your content here... + +--- + +## 5. Leadership +Show top management accountability for the QMS. + +### 5.1 Leadership and Commitment +Demonstrate customer focus, quality policy alignment with strategy, resource support, process effectiveness, and promotion of continual improvement. Add your content here... + +### 5.2 Quality Policy +Establish, implement, maintain, and communicate a quality policy appropriate to purpose and context, providing a framework for objectives and commitment to satisfy requirements and improve. Add your content here... + +### 5.3 Organizational Roles, Responsibilities, and Authorities +Define and communicate responsibilities and authorities to ensure processes deliver intended results and the QMS conforms to requirements. Add your content here... + +--- + +## 6. Planning +Address risks, opportunities, objectives, and changes. + +### 6.1 Actions to Address Risks and Opportunities +Identify and plan actions for risks/opportunities affecting product/service conformity and customer satisfaction; integrate actions into processes and evaluate effectiveness. Add your content here... + +### 6.2 Quality Objectives and Planning to Achieve Them +Set measurable, monitored quality objectives aligned with the policy; plan who/what/when/resources and how results will be evaluated. Add your content here... + +### 6.3 Planning of Changes +When changing the QMS, plan changes to preserve integrity, allocate resources, and manage responsibilities. Add your content here... + +--- + +## 7. Support +Provide resources and infrastructure enabling process operation and control. + +### 7.1 Resources +Outline people, infrastructure, environment for operation, monitoring/measurement resources, organizational knowledge, and how adequacy is ensured. Add your content here... + +#### 7.1.1 General +Summarize the overall approach to determining and providing needed resources. Add your content here... + +#### 7.1.2 People +Define competence levels, staffing, and capacity planning. Add your content here... + +#### 7.1.3 Infrastructure +Describe facilities, equipment, IT, and maintenance strategies supporting conformity. Add your content here... + +#### 7.1.4 Environment for the Operation of Processes +Describe physical, social, psychological, and environmental conditions (including sustainability considerations where relevant) to achieve conformity. Add your content here... + +#### 7.1.5 Monitoring and Measuring Resources +Control and maintain measurement equipment: selection, calibration/verification, traceability, and records. Add your content here... + +#### 7.1.6 Organizational Knowledge +Capture, maintain, and make available knowledge necessary for process operation and conformity; plan for changes and lessons learned. Add your content here... + +### 7.2 Competence +Ensure personnel are competent based on education, training, and experience; take actions to acquire competence and retain records. Add your content here... + +### 7.3 Awareness +Ensure people are aware of the policy, relevant objectives, their contributions, and consequences of nonconformity. Add your content here... + +### 7.4 Communication +Plan internal/external communications: what, when, with whom, how, and who communicates. Add your content here... + +### 7.5 Documented Information +Control the creation, update, and control of documented information (procedures, records): identification, format, review/approval, distribution, access, storage, retention, and disposition. Add your content here... + +--- + +## 8. Operation +Plan, implement, and control production/service provision processes. + +### 8.1 Operational Planning and Control +Plan and control processes to meet requirements: criteria, resources, controls, documented information, changes, and outsourced processes. Add your content here... + +### 8.2 Requirements for Products and Services +Manage customer communication, determine requirements, and review changes before commitment to supply; resolve conflicts and retain records. Add your content here... + +### 8.3 Design and Development of Products and Services +Plan, control, and verify design/development stages, inputs, controls, outputs, and changes; manage interfaces and retain evidence. Add your content here... + +### 8.4 Control of Externally Provided Processes, Products, and Services +Control suppliers/outsourcers based on risks and performance; define verification activities and criteria for acceptance. Add your content here... + +### 8.5 Production and Service Provision +Implement controlled conditions (work instructions, suitable infrastructure, monitoring/measurement, identification/traceability, property belonging to customers/providers, preservation). Add your content here... + +#### 8.5.1 Control of Production and Service Provision +Describe how controlled conditions are applied (e.g., SOPs, job travelers, checklists). Add your content here... + +#### 8.5.2 Identification and Traceability +Specify identification methods and traceability where required; maintain records. Add your content here... + +#### 8.5.3 Property Belonging to Customers or External Providers +Protect, verify, and report issues with customer/provider property. Add your content here... + +#### 8.5.4 Preservation +Preserve outputs (handling, packaging, storage, protection) to maintain conformity. Add your content here... + +#### 8.5.5 Post-Delivery Activities +Plan and control after-delivery activities (warranty, service, recycling/returns, recalls) based on risks and legal requirements. Add your content here... + +#### 8.5.6 Control of Changes +Review and control unplanned changes in production/service provision; authorize and record. Add your content here... + +### 8.6 Release of Products and Services +Verify that acceptance criteria are met before release; retain evidence of conformity and authorization. Add your content here... + +### 8.7 Control of Nonconforming Outputs +Identify, control, correct, segregate (as applicable), and disposition nonconforming outputs; manage concessions and retain records. Add your content here... + +--- + +## 9. Performance Evaluation +Monitor, measure, analyze, and evaluate the QMS. + +### 9.1 Monitoring, Measurement, Analysis, and Evaluation +Define what to monitor/measure, methods, timing, evaluation, and reporting; include customer satisfaction and process performance. Add your content here... + +### 9.2 Internal Audit +Plan a risk-based internal audit program, define criteria, ensure objectivity/independence, report results, and follow up on actions. Add your content here... + +### 9.3 Management Review +Top management periodically reviews QMS suitability, adequacy, and effectiveness; record inputs (performance, risks, opportunities, changes) and outputs (decisions/actions). Add your content here... + +--- + +## 10. Improvement +Drive nonconformity correction, corrective action, and continual improvement. + +### 10.1 General +Identify improvement opportunities and implement necessary changes to enhance QMS performance and customer satisfaction. Add your content here... + +### 10.2 Nonconformity and Corrective Action +React to nonconformities, control/correct them, evaluate root causes, implement actions, and review effectiveness; keep records. Add your content here... + +### 10.3 Continual Improvement +Use audit results, data analysis, management review, and customer feedback to continually improve processes and the QMS. Add your content here... + +--- + +## Annex A (Informative) — Explanatory Guidance (Optional) +Provide organization-specific guidance on applying risk-based thinking, process approach, and PDCA; include examples, templates, or references. Add your content here... + +## Annex B (Informative) — Process Map and Interaction Matrix (Optional) +Show a visual process map, SIPOC diagrams, and an interaction matrix linking processes to clauses and KPIs. Add your content here... + +--- + +# Best-Practice Requirements Checklist (for later quality review) +Use this checklist to assess whether your ISO 9001 document set is complete, coherent, and audit-ready. + +1. **Clear QMS Scope & Exclusions** + QMS scope states products/services, sites, functions, and any justified exclusions to Clause 8. Add your content here... + +2. **Context & Interested Parties Analyzed (incl. climate)** + Documented analysis of issues and interested-party needs, explicitly noting climate-related factors per Amendment 1:2024. Add your content here... + +3. **Process Landscape Defined** + End-to-end process map with owners, inputs/outputs, criteria, methods, risks/opportunities, KPIs, and interaction matrix. Add your content here... + +4. **Quality Policy & Objectives Aligned to Strategy** + Policy is appropriate and communicated; measurable objectives exist with plans, owners, and timelines. Add your content here... + +5. **Risk-Based Thinking Evident** + Risk/opportunity identification linked to processes, with planned actions and effectiveness evaluation. Add your content here... + +6. **Resource Adequacy Demonstrated** + People, infrastructure, environment, calibration/verification, and organizational knowledge are defined and controlled. Add your content here... + +7. **Competence & Awareness Controlled** + Role competence criteria, training actions, effectiveness checks, and awareness mechanisms are documented. Add your content here... + +8. **Documented Information Controlled** + Lifecycle controls cover identification, versioning, approval, access, retention, and disposition (incl. records). Add your content here... + +9. **Customer-Facing Requirements Managed** + Requirements determination, review, changes, and communications are controlled with evidence. Add your content here... + +10. **Design & Development (if applicable) Controlled** + Planned stages, inputs/outputs, reviews, verification/validation, and change control are in place. Add your content here... + +11. **Supplier/Outsource Control Risk-Based** + Criteria for selection, monitoring, and verification of externally provided processes/products/services are defined. Add your content here... + +12. **Production/Service Controls & Traceability** + Controlled conditions, identification/traceability, preservation, customer property, post-delivery, and change control defined. Add your content here... + +13. **Release & Nonconformity Controls** + Defined acceptance criteria, authorization for release, nonconformity handling, concessions, and records. Add your content here... + +14. **Monitoring & Measurement Plan** + What/when/how/who for data collection, including customer satisfaction; analysis and evaluation described. Add your content here... + +15. **Internal Audit Program Risk-Based** + Program covers scope/criteria/methods, auditor independence/competence, reporting, and follow-ups. Add your content here... + +16. **Management Review with Decisions/Actions** + Inputs cover performance, risks/opportunities, changes; outputs include decisions, resources, and improvement actions. Add your content here... + +17. **Corrective Action Root-Cause Focused** + Standardized approach to containment, root-cause analysis, action planning, effectiveness verification, and learning capture. Add your content here... + +18. **Continual Improvement Mechanisms** + Defined CI methods (e.g., PDCA, Kaizen), prioritization pipeline, and evidence of implemented improvements. Add your content here... + +19. **KPI Set with Targets & Owners** + Process and QMS KPIs have baselines, targets, owners, frequency, and review forums. Add your content here... + +20. **Change Management Discipline** + Planned QMS changes protect integrity; roles, risks, validation, and communication defined. Add your content here...