Purpose
This procedure defines how Maelstrom AI creates, reviews, approves, distributes, and retains documented information within the Information Security Management System (ISMS). It is designed to address the requirements of ISO 27001:2022 Clause 7.5 (Documented Information) in support of certification being pursued.
Scope
Applies to all ISMS documented information, including:
- Policies and procedures
- Risk assessments and treatment plans
- Statement of applicability
- Audit reports and findings
- Management review minutes
- Operational records (incident logs, access reviews, change records)
- Supporting evidence and checklists
Document Lifecycle
All ISMS documents follow a defined lifecycle:
1. Creation
- Author drafts the document in the
provii-docsGit repository - Documents are written in Markdown (
.mdor.mdx) with Starlight frontmatter - Author assigns a document title, owner, classification, and version number
- Initial version is always 1.0
2. Review
- Author creates a pull request (PR) in the
provii-docsrepository - Reviewer checks for accuracy, completeness, consistency with other ISMS documents, and correct use of ISO terminology
- Review comments are recorded in the PR
3. Approval
- ISMS Owner approves the PR
- Approval is recorded as a PR review approval in GitHub
- Approval constitutes formal authorisation to publish
4. Publication
- PR is merged to the
mainbranch - Automated deployment publishes to maelstrom.au/trust
- Document becomes the current authorised version
5. Revision
- Any team member may propose changes via a new PR
- The same review and approval cycle applies
- Version number is incremented (e.g., 1.0 to 1.1 for minor changes, 1.0 to 2.0 for significant changes)
- Git history preserves the full change record
6. Obsolescence
- When a document is no longer required, the ISMS Owner approves its removal
- The document is removed from the published site via PR
- Git history retains the document indefinitely for audit purposes
Version Control
Git-Based Control
All ISMS documents are stored in the provii-docs repository within our GitHub organisation. Git provides:
- Full version history. Every change is recorded with author, date, and description
- Change attribution. Each commit identifies who made the change and why
- Branching and review. All changes go through pull requests with mandatory review
- Immutable audit trail. Git commit history cannot be altered without detection
Version Numbering
| Change Type | Version Increment | Examples |
|---|---|---|
| Major revision (new requirements, restructure) | X.0 → (X+1).0 | 1.0 → 2.0 |
| Minor update (corrections, clarifications) | X.Y → X.(Y+1) | 1.0 → 1.1 |
| Editorial (typos, formatting) | No increment | . |
Approval Workflow
- Author creates a feature branch
- Author commits changes and opens a PR
- Reviewer examines the diff and provides feedback
- ISMS Owner approves the PR
- Author merges to
main - Automated deployment publishes the updated document
Document Identification
Each document includes the following metadata:
Frontmatter (Top of Document)
- title. Document title
- description. Brief summary of document purpose
- section. Always
securityfor ISMS documents - group. Sidebar grouping (e.g.,
policies,operations,controls) - order. Sidebar display order within the group
- icon. Visual indicator for navigation
Footer Metadata (Bottom of Document)
- Version. Current version number
- Effective Date. Date the current version took effect
- Owner. Role responsible for maintaining the document
- Review Frequency. How often the document is reviewed
- Next Review. Date of the next scheduled review
- Classification. Public, Internal, or Restricted
Master Document Register
The following table lists all ISMS documents currently maintained in the system.
| Document Title | Path | Version | Owner | Last Review | Next Review | Classification |
|---|---|---|---|---|---|---|
| ISMS Overview | /security/index | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| ISMS Scope | /security/isms-scope | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Information Security Policy | /security/information-security-policy | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Context Analysis | /security/context-analysis | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Quick Reference | /security/quick-reference | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Risk Methodology | /security/risk-methodology | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Risk Register | /security/risk-register | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Statement of Applicability | /security/statement-of-applicability | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Gap Analysis | /security/gap-analysis | 2.0 | ISMS Owner | 2026-02-16 | 2026-05-15 | Public |
| Evidence Checklist | /security/evidence-checklist | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Access Control Policy | /security/access-control | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Acceptable Use Policy | /security/acceptable-use | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Change Management Procedure | /security/change-management | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Asset Management Policy | /security/asset-management | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Cryptography Policy | /security/cryptography-policy | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| PQC Roadmap | /security/pqc-roadmap | 2.0 | ISMS Owner | 2026-02-16 | 2026-05-15 | Public |
| Supplier & Vendor Management | /security/supplier-management | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Data Retention Policy | /security/data-retention | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Privacy Complaints Procedure | /security/privacy-complaints | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Security Awareness Training | /security/security-awareness | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Roles and Responsibilities Matrix | /security/roles-responsibilities | 2.0 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Asset Register | /security/asset-register | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Internal Audit Program | /security/internal-audit | 2.0 | ISMS Owner | 2026-02-16 | 2027-02-15 | Public |
| Management Review | /security/management-review | 2.0 | ISMS Owner | 2026-02-16 | 2026-05-15 | Public |
| Incident Response Procedure | /security/incident-response | 2.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Business Continuity Plan | /security/business-continuity | 1.1 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Document Control Procedure | /security/document-control | 2.0 | ISMS Owner | 2026-02-16 | 2027-02-16 | Public |
| Communication Procedure | /security/communication-procedure | 1.0 | ISMS Owner | 2026-02-13 | 2027-02-13 | Public |
| Security Objectives Register | /security/security-objectives | 1.0 | ISMS Owner | 2026-02-13 | 2027-02-13 | Public |
Distribution and Access
Published Documentation
All ISMS documents with a Public classification are published to maelstrom.au/trust and are freely accessible.
Draft Documents
Documents under development exist in Git branches and are visible only to team members with repository access. Drafts are not published until merged to main.
Restricted Documents
Documents classified as Restricted (e.g., detailed key material locations, specific vulnerability assessments) are stored separately with access limited to authorised personnel. These are not published to the public documentation site.
Retention
- Current version. Always available on the published documentation site
- Prior versions. Retained in Git history for a minimum of 3 years
- Obsolete documents. Removed from the published site but retained in Git history for a minimum of 3 years
- Audit records. Retained per the Internal Audit Program requirements
Review Schedule
All ISMS documents are reviewed:
- Annually. At minimum, every 12 months from the effective date
- Upon significant change. When there is a material change to the ISMS scope, risk profile, organisational structure, or regulatory environment
- After incidents. When a security incident reveals gaps in documented procedures
- After audits. When audit findings indicate documentation is incomplete or inaccurate
The ISMS Owner is responsible for maintaining the review schedule and ensuring reviews are completed on time. Overdue reviews are escalated in the management review.
Related Documents
- Information Security Policy - Top-level policy governing ISMS
- Internal Audit Program - Audit of documentation completeness
- Management Review - Review of ISMS effectiveness including documentation
- Roles and Responsibilities - Document ownership roles
Document Information
- Version. 2.0
- Effective Date. 2026-02-13 (initial), 2026-02-16 (updated)
- Owner. ISMS Owner
- Review Frequency. Annually
- Next Review. 2027-02-16
- Classification. Public