Version: 1.0 | Effective from: 1 January 2026
1. Purpose
This directive defines the requirements for audit, monitoring, and continuous improvement of the compliance programme.
2. Audit Programme
2.1 Types of audits
| Type | Frequency | Scope | Conducted by |
|---|
| Internal audit | Quarterly | Rotating areas | Compliance Officer |
| External audit | Annually | Full ISMS | External auditor |
| Compliance check | Semi-annually | Regulatory requirements | DPO + CISO |
| Penetration test | Annually | Full scope | External vendor |
| Vulnerability scan | Monthly | All systems | IT Security |
2.2 Internal Audit Programme
%3btext-align:center%3b%7d%23mermaid-0 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-0 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-0 .cluster text%7bfill:%23333%3b%7d%23mermaid-0 .cluster span%7bcolor:%23333%3b%7d%23mermaid-0 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-0 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-0 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-0 .icon-shape%2c%23mermaid-0 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-0 .icon-shape p%2c%23mermaid-0 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-0 .icon-shape .label rect%2c%23mermaid-0 .image-shape .label rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .label-icon%7bdisplay:inline-block%3bheight:1em%3boverflow:visible%3bvertical-align:-0.125em%3b%7d%23mermaid-0 .node .label-icon path%7bfill:currentColor%3bstroke:revert%3bstroke-width:revert%3b%7d%23mermaid-0 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker id='mermaid-0_flowchart-v2-pointEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 0 L 10 5 L 0 10 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-pointStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='4.5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 5 L 10 10 L 10 0 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='11' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='-1' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossEnd' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='12' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossStart' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='-1' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath d='M175.5%2c444L175.5%2c448.167C175.5%2c452.333%2c175.5%2c460.667%2c175.5%2c468.333C175.5%2c476%2c175.5%2c483%2c175.5%2c486.5L175.5%2c490' id='L_Q1_Q2_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_Q1_Q2_0' data-points='W3sieCI6MTc1LjUsInkiOjQ0NH0seyJ4IjoxNzUuNSwieSI6NDY5fSx7IngiOjE3NS41LCJ5Ijo0OTR9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M175.5%2c930L175.5%2c934.167C175.5%2c938.333%2c175.5%2c946.667%2c175.5%2c954.333C175.5%2c962%2c175.5%2c969%2c175.5%2c972.5L175.5%2c976' id='L_Q2_Q3_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_Q2_Q3_0' data-points='W3sieCI6MTc1LjUsInkiOjkzMH0seyJ4IjoxNzUuNSwieSI6OTU1fSx7IngiOjE3NS41LCJ5Ijo5ODB9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M175.5%2c1416L175.5%2c1420.167C175.5%2c1424.333%2c175.5%2c1432.667%2c175.5%2c1440.333C175.5%2c1448%2c175.5%2c1455%2c175.5%2c1458.5L175.5%2c1462' id='L_Q3_Q4_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_Q3_Q4_0' data-points='W3sieCI6MTc1LjUsInkiOjE0MTZ9LHsieCI6MTc1LjUsInkiOjE0NDF9LHsieCI6MTc1LjUsInkiOjE0NjZ9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_Q1_Q2_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_Q2_Q3_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_Q3_Q4_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg class='root' transform='translate(0%2c 1458)'%3e%3cg class='clusters'%3e%3cg class='cluster' id='Q4' data-look='classic'%3e%3crect style='' x='8' y='8' width='335' height='484'/%3e%3cg class='cluster-label' transform='translate(90.125%2c 8)'%3e%3cforeignObject width='170.75' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eQ4: Security Operations%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='edgePaths'/%3e%3cg class='edgeLabels'/%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-Q4A-12' transform='translate(175.5%2c 82)'%3e%3crect class='basic label-container' style='' x='-130' y='-39' width='260' height='78'/%3e%3cg class='label' style='' transform='translate(-100%2c -24)'%3e%3crect/%3e%3cforeignObject width='200' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eIncident response effectiveness%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Q4B-13' transform='translate(175.5%2c 198)'%3e%3crect class='basic label-container' style='' x='-122.9375' y='-27' width='245.875' height='54'/%3e%3cg class='label' style='' transform='translate(-92.9375%2c -12)'%3e%3crect/%3e%3cforeignObject width='185.875' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eBackup %26amp%3b recovery testing%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Q4C-14' transform='translate(175.5%2c 314)'%3e%3crect class='basic label-container' style='' x='-130' y='-39' width='260' height='78'/%3e%3cg class='label' style='' transform='translate(-100%2c -24)'%3e%3crect/%3e%3cforeignObject width='200' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3ePatch management compliance%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Q4D-15' transform='translate(175.5%2c 430)'%3e%3crect class='basic label-container' style='' x='-128.2734375' y='-27' width='256.546875' height='54'/%3e%3cg class='label' style='' transform='translate(-98.2734375%2c -12)'%3e%3crect/%3e%3cforeignObject width='196.546875' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eSecurity awareness training%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='root' transform='translate(8.6953125%2c 972)'%3e%3cg class='clusters'%3e%3cg class='cluster' id='Q3' data-look='classic'%3e%3crect style='' x='8' y='8' width='317.609375' height='436'/%3e%3cg class='cluster-label' transform='translate(58.3125%2c 8)'%3e%3cforeignObject width='216.984375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eQ3: AI Systems %26amp%3b Governance%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='edgePaths'/%3e%3cg class='edgeLabels'/%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-Q3A-8' transform='translate(166.8046875%2c 70)'%3e%3crect class='basic label-container' style='' x='-106.4765625' y='-27' width='212.953125' height='54'/%3e%3cg class='label' style='' transform='translate(-76.4765625%2c -12)'%3e%3crect/%3e%3cforeignObject width='152.953125' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eAI inventory accuracy%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Q3B-9' transform='translate(166.8046875%2c 174)'%3e%3crect class='basic label-container' style='' x='-118.46875' y='-27' width='236.9375' height='54'/%3e%3cg class='label' style='' transform='translate(-88.46875%2c -12)'%3e%3crect/%3e%3cforeignObject width='176.9375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eRisk classification review%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Q3C-10' transform='translate(166.8046875%2c 278)'%3e%3crect class='basic label-container' style='' x='-97.140625' y='-27' width='194.28125' height='54'/%3e%3cg class='label' style='' transform='translate(-67.140625%2c -12)'%3e%3crect/%3e%3cforeignObject width='134.28125' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eBias testing results%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Q3D-11' transform='translate(166.8046875%2c 382)'%3e%3crect class='basic label-container' style='' x='-121.3046875' y='-27' width='242.609375' height='54'/%3e%3cg class='label' style='' transform='translate(-91.3046875%2c -12)'%3e%3crect/%3e%3cforeignObject width='182.609375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eTransparency compliance%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='root' transform='translate(21.28125%2c 486)'%3e%3cg class='clusters'%3e%3cg class='cluster' id='Q2' data-look='classic'%3e%3crect style='' x='8' y='8' width='292.4375' height='436'/%3e%3cg class='cluster-label' transform='translate(47.953125%2c 8)'%3e%3cforeignObject width='212.53125' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eQ2: Data Protection %26amp%3b Privacy%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='edgePaths'/%3e%3cg class='edgeLabels'/%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-Q2A-4' transform='translate(154.21875%2c 70)'%3e%3crect class='basic label-container' style='' x='-85.875' y='-27' width='171.75' height='54'/%3e%3cg class='label' style='' transform='translate(-55.875%2c -12)'%3e%3crect/%3e%3cforeignObject width='111.75' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eROPA accuracy%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Q2B-5' transform='translate(154.21875%2c 174)'%3e%3crect class='basic label-container' style='' x='-108.71875' y='-27' width='217.4375' height='54'/%3e%3cg class='label' style='' transform='translate(-78.71875%2c -12)'%3e%3crect/%3e%3cforeignObject width='157.4375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eConsent management%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Q2C-6' transform='translate(154.21875%2c 278)'%3e%3crect class='basic label-container' style='' x='-94.9140625' y='-27' width='189.828125' height='54'/%3e%3cg class='label' style='' transform='translate(-64.9140625%2c -12)'%3e%3crect/%3e%3cforeignObject width='129.828125' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eDSAR compliance%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Q2D-7' transform='translate(154.21875%2c 382)'%3e%3crect class='basic label-container' style='' x='-98.3359375' y='-27' width='196.671875' height='54'/%3e%3cg class='label' style='' transform='translate(-68.3359375%2c -12)'%3e%3crect/%3e%3cforeignObject width='136.671875' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eVendor DPA review%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='root' transform='translate(6.7578125%2c 0)'%3e%3cg class='clusters'%3e%3cg class='cluster' id='Q1' data-look='classic'%3e%3crect style='' x='8' y='8' width='321.484375' height='436'/%3e%3cg class='cluster-label' transform='translate(15.7734375%2c 8)'%3e%3cforeignObject width='305.9375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eQ1: Access Control %26amp%3b Identity Management%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='edgePaths'/%3e%3cg class='edgeLabels'/%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-Q1A-0' transform='translate(168.7421875%2c 70)'%3e%3crect class='basic label-container' style='' x='-88.6953125' y='-27' width='177.390625' height='54'/%3e%3cg class='label' style='' transform='translate(-58.6953125%2c -12)'%3e%3crect/%3e%3cforeignObject width='117.390625' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eMFA compliance%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Q1B-1' transform='translate(168.7421875%2c 174)'%3e%3crect class='basic label-container' style='' x='-117.59375' y='-27' width='235.1875' height='54'/%3e%3cg class='label' style='' transform='translate(-87.59375%2c -12)'%3e%3crect/%3e%3cforeignObject width='175.1875' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3ePrivileged access review%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Q1C-2' transform='translate(168.7421875%2c 278)'%3e%3crect class='basic label-container' style='' x='-95.796875' y='-27' width='191.59375' height='54'/%3e%3cg class='label' style='' transform='translate(-65.796875%2c -12)'%3e%3crect/%3e%3cforeignObject width='131.59375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eUser access rights%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Q1D-3' transform='translate(168.7421875%2c 382)'%3e%3crect class='basic label-container' style='' x='-123.2421875' y='-27' width='246.484375' height='54'/%3e%3cg class='label' style='' transform='translate(-93.2421875%2c -12)'%3e%3crect/%3e%3cforeignObject width='186.484375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eOffboarding completeness%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
2.3 Audit Process
%3btext-align:center%3b%7d%23mermaid-1 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-1 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-1 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-1 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-1 .cluster text%7bfill:%23333%3b%7d%23mermaid-1 .cluster span%7bcolor:%23333%3b%7d%23mermaid-1 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-1 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-1 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-1 .icon-shape%2c%23mermaid-1 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-1 .icon-shape p%2c%23mermaid-1 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-1 .icon-shape .label rect%2c%23mermaid-1 .image-shape .label rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-1 .label-icon%7bdisplay:inline-block%3bheight:1em%3boverflow:visible%3bvertical-align:-0.125em%3b%7d%23mermaid-1 .node .label-icon path%7bfill:currentColor%3bstroke:revert%3bstroke-width:revert%3b%7d%23mermaid-1 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker id='mermaid-1_flowchart-v2-pointEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 0 L 10 5 L 0 10 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-1_flowchart-v2-pointStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='4.5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 5 L 10 10 L 10 0 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-1_flowchart-v2-circleEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='11' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-1_flowchart-v2-circleStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='-1' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-1_flowchart-v2-crossEnd' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='12' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-1_flowchart-v2-crossStart' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='-1' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath d='M138%2c158L138%2c162.167C138%2c166.333%2c138%2c174.667%2c138%2c182.333C138%2c190%2c138%2c197%2c138%2c200.5L138%2c204' id='L_P_E_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_P_E_0' data-points='W3sieCI6MTM4LCJ5IjoxNTh9LHsieCI6MTM4LCJ5IjoxODN9LHsieCI6MTM4LCJ5IjoyMDh9XQ==' marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c358L138%2c362.167C138%2c366.333%2c138%2c374.667%2c138%2c382.333C138%2c390%2c138%2c397%2c138%2c400.5L138%2c404' id='L_E_R_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_E_R_0' data-points='W3sieCI6MTM4LCJ5IjozNTh9LHsieCI6MTM4LCJ5IjozODN9LHsieCI6MTM4LCJ5Ijo0MDh9XQ==' marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c558L138%2c562.167C138%2c566.333%2c138%2c574.667%2c138%2c582.333C138%2c590%2c138%2c597%2c138%2c600.5L138%2c604' id='L_R_F_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_R_F_0' data-points='W3sieCI6MTM4LCJ5Ijo1NTh9LHsieCI6MTM4LCJ5Ijo1ODN9LHsieCI6MTM4LCJ5Ijo2MDh9XQ==' marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_P_E_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_E_R_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_R_F_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-P-0' transform='translate(138%2c 83)'%3e%3crect class='basic label-container' style='' x='-130' y='-75' width='260' height='150'/%3e%3cg class='label' style='' transform='translate(-100%2c -60)'%3e%3crect/%3e%3cforeignObject width='200' height='120'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3e1. PLANNING%3cbr /%3eDefine scope %7c Identify controls%3cbr /%3eSchedule with stakeholders%3cbr /%3ePrepare audit checklist%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-E-2' transform='translate(138%2c 283)'%3e%3crect class='basic label-container' style='' x='-130' y='-75' width='260' height='150'/%3e%3cg class='label' style='' transform='translate(-100%2c -60)'%3e%3crect/%3e%3cforeignObject width='200' height='120'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3e2. EXECUTION%3cbr /%3eDocument review %7c Interviews%3cbr /%3eTechnical testing %7c Evidence collection%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-R-4' transform='translate(138%2c 483)'%3e%3crect class='basic label-container' style='' x='-130' y='-75' width='260' height='150'/%3e%3cg class='label' style='' transform='translate(-100%2c -60)'%3e%3crect/%3e%3cforeignObject width='200' height='120'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3e3. REPORTING%3cbr /%3eDraft findings %7c Risk rating%3cbr /%3eRemediation recommendations%3cbr /%3eManagement review%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-F-6' transform='translate(138%2c 671)'%3e%3crect class='basic label-container' style='' x='-130' y='-63' width='260' height='126'/%3e%3cg class='label' style='' transform='translate(-100%2c -48)'%3e%3crect/%3e%3cforeignObject width='200' height='96'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3e4. FOLLOW-UP%3cbr /%3eRemediation tracking %7c Re-testing%3cbr /%3eClosure verification%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
3. Continuous Monitoring
3.1 Security Monitoring
| Area | Monitoring | Tool | Alert threshold |
|---|
| Authentication | Failed logins | SIEM | >5 failures / 10min |
| Access | Privileged access | PAM | Any admin access |
| Network | Traffic anomalies | IDS/IPS | Signature match |
| Endpoint | Malware detection | EDR | Any detection |
| Application | Error rates | APM | >1% error rate |
| Data | Sensitive data access | DLP | Any PII export |
3.2 Compliance Monitoring
| Regulation | Metric | Target | Measurement |
|---|
| AI Act | AI inventory completeness | 100% | Quarterly |
| AI Act | High-risk AI documentation | 100% | Monthly |
| NIS2 | Patch compliance | >95% | Monthly |
| NIS2 | Incident response time | <4h (critical) | On incident |
| GDPR | DSAR response time | <30 days | Per DSAR |
| GDPR | Breach notification | <72h | On breach |
3.3 Monitoring Dashboard
4.1 Security KPIs
| KPI | Target | Current | Trend |
|---|
| Patch compliance (critical) | >99% | | |
| Patch compliance (high) | >95% | | |
| MFA adoption | 100% | | |
| Phishing click rate | <5% | | |
| Mean time to detect (MTTD) | <1h | | |
| Mean time to respond (MTTR) | <4h | | |
4.2 Privacy KPIs
| KPI | Target | Current | Trend |
|---|
| DSAR response time | <30 days | | |
| DSAR compliance rate | 100% | | |
| Data mapping accuracy | >95% | | |
| DPA coverage | 100% | | |
| Privacy training completion | 100% | | |
4.3 AI Governance KPIs
| KPI | Target | Current | Trend |
|---|
| AI inventory completeness | 100% | | |
| Risk classification coverage | 100% | | |
| High-risk AI documentation | 100% | | |
| Bias testing frequency | Monthly | | |
| AI incident rate | <1/quarter | | |
5. Risk Register
5.1 Risk Register Template
| Risk ID | Description | Category | Likelihood | Impact | Score | Status | Mitigation |
|---|
| RISK-001 | | AI/NIS2/GDPR | 1-5 | 1-5 | LxI | Open/Mitigated | |
5.2 Risk Review Process
| Frequency | Activity |
|---|
| Weekly | New risks identification |
| Monthly | Risk register review (CISO + DPO) |
| Quarterly | Risk treatment plan update (C-level) |
| Annually | Full risk assessment refresh |
5.3 Risk Acceptance
Risk acceptance criteria:
| Risk Score | Acceptance | Approval |
|---|
| 1-5 (Low) | Automatic | Risk owner |
| 6-12 (Medium) | With mitigation | CISO/DPO |
| 13-20 (High) | Exceptional | CTO + CEO |
| 21-25 (Critical) | Never | N/A |
6. Reporting
6.1 Report Schedule
| Report | Audience | Frequency |
|---|
| Security metrics | IT Management | Weekly |
| Compliance status | C-level | Monthly |
| Risk register | Board | Quarterly |
| External audit | Board + Regulators | Annually |
6.2 Monthly Compliance Report Template
7. Continuous Improvement
7.1 PDCA Cycle
%3btext-align:center%3b%7d%23mermaid-2 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-2 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-2 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-2 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-2 .cluster text%7bfill:%23333%3b%7d%23mermaid-2 .cluster span%7bcolor:%23333%3b%7d%23mermaid-2 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-2 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-2 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-2 .icon-shape%2c%23mermaid-2 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-2 .icon-shape p%2c%23mermaid-2 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-2 .icon-shape .label rect%2c%23mermaid-2 .image-shape .label rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-2 .label-icon%7bdisplay:inline-block%3bheight:1em%3boverflow:visible%3bvertical-align:-0.125em%3b%7d%23mermaid-2 .node .label-icon path%7bfill:currentColor%3bstroke:revert%3bstroke-width:revert%3b%7d%23mermaid-2 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker id='mermaid-2_flowchart-v2-pointEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 0 L 10 5 L 0 10 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-2_flowchart-v2-pointStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='4.5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 5 L 10 10 L 10 0 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-2_flowchart-v2-circleEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='11' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-2_flowchart-v2-circleStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='-1' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-2_flowchart-v2-crossEnd' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='12' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-2_flowchart-v2-crossStart' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='-1' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath d='M224.516%2c67.067L228.682%2c65.723C232.849%2c64.378%2c241.182%2c61.689%2c248.849%2c60.345C256.516%2c59%2c263.516%2c59%2c267.016%2c59L270.516%2c59' id='L_PLAN_DO_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_PLAN_DO_0' data-points='W3sieCI6MjI0LjUxNTYyNSwieSI6NjcuMDY3MDY5MjM4NDM1ODN9LHsieCI6MjQ5LjUxNTYyNSwieSI6NTl9LHsieCI6Mjc0LjUxNTYyNSwieSI6NTl9XQ==' marker-end='url(%23mermaid-2_flowchart-v2-pointEnd)'/%3e%3cpath d='M474.156%2c59L478.323%2c59C482.49%2c59%2c490.823%2c59%2c498.49%2c59C506.156%2c59%2c513.156%2c59%2c516.656%2c59L520.156%2c59' id='L_DO_CHECK_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_DO_CHECK_0' data-points='W3sieCI6NDc0LjE1NjI1LCJ5Ijo1OX0seyJ4Ijo0OTkuMTU2MjUsInkiOjU5fSx7IngiOjUyNC4xNTYyNSwieSI6NTl9XQ==' marker-end='url(%23mermaid-2_flowchart-v2-pointEnd)'/%3e%3cpath d='M697.984%2c59L702.151%2c59C706.318%2c59%2c714.651%2c59%2c722.374%2c60.565C730.097%2c62.131%2c737.21%2c65.261%2c740.767%2c66.827L744.323%2c68.392' id='L_CHECK_ACT_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_CHECK_ACT_0' data-points='W3sieCI6Njk3Ljk4NDM3NSwieSI6NTl9LHsieCI6NzIyLjk4NDM3NSwieSI6NTl9LHsieCI6NzQ3Ljk4NDM3NSwieSI6NzAuMDAzNTk4NTYwNTc1Nzd9XQ==' marker-end='url(%23mermaid-2_flowchart-v2-pointEnd)'/%3e%3cpath d='M747.984%2c133.996L743.818%2c135.83C739.651%2c137.664%2c731.318%2c141.332%2c708.499%2c143.166C685.68%2c145%2c648.375%2c145%2c611.07%2c145C573.766%2c145%2c536.461%2c145%2c497.005%2c145C457.549%2c145%2c415.943%2c145%2c374.336%2c145C332.729%2c145%2c291.122%2c145%2c266.787%2c143.86C242.451%2c142.72%2c235.387%2c140.441%2c231.855%2c139.301L228.322%2c138.161' id='L_ACT_PLAN_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_ACT_PLAN_0' data-points='W3sieCI6NzQ3Ljk4NDM3NSwieSI6MTMzLjk5NjQwMTQzOTQyNDIzfSx7IngiOjcyMi45ODQzNzUsInkiOjE0NX0seyJ4Ijo2MTEuMDcwMzEyNSwieSI6MTQ1fSx7IngiOjQ5OS4xNTYyNSwieSI6MTQ1fSx7IngiOjM3NC4zMzU5Mzc1LCJ5IjoxNDV9LHsieCI6MjQ5LjUxNTYyNSwieSI6MTQ1fSx7IngiOjIyNC41MTU2MjUsInkiOjEzNi45MzI5MzA3NjE1NjQxN31d' marker-end='url(%23mermaid-2_flowchart-v2-pointEnd)'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_PLAN_DO_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_DO_CHECK_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_CHECK_ACT_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_ACT_PLAN_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-PLAN-0' transform='translate(116.2578125%2c 102)'%3e%3crect class='basic label-container' style='' x='-108.2578125' y='-51' width='216.515625' height='102'/%3e%3cg class='label' style='' transform='translate(-78.2578125%2c -36)'%3e%3crect/%3e%3cforeignObject width='156.515625' height='72'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3ePLAN%3cbr /%3eIdentify improvements%3cbr /%3eSet objectives%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-DO-1' transform='translate(374.3359375%2c 59)'%3e%3crect class='basic label-container' style='' x='-99.8203125' y='-39' width='199.640625' height='78'/%3e%3cg class='label' style='' transform='translate(-69.8203125%2c -24)'%3e%3crect/%3e%3cforeignObject width='139.640625' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eDO%3cbr /%3eImplement changes%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-CHECK-3' transform='translate(611.0703125%2c 59)'%3e%3crect class='basic label-container' style='' x='-86.9140625' y='-51' width='173.828125' height='102'/%3e%3cg class='label' style='' transform='translate(-56.9140625%2c -36)'%3e%3crect/%3e%3cforeignObject width='113.828125' height='72'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eCHECK%3cbr /%3eMonitor and%3cbr /%3emeasure results%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-ACT-5' transform='translate(820.6796875%2c 102)'%3e%3crect class='basic label-container' style='' x='-72.6953125' y='-51' width='145.390625' height='102'/%3e%3cg class='label' style='' transform='translate(-42.6953125%2c -36)'%3e%3crect/%3e%3cforeignObject width='85.390625' height='72'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eACT%3cbr /%3eStandardize%3cbr /%3eor adjust%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
7.2 Lessons Learned
After each incident or audit:
- Document — What happened
- Analyze — Root cause
- Identify — What to improve
- Implement — Changes
- Verify — Effectiveness
7.3 Improvement Register
| ID | Source | Description | Status | Deadline |
|---|
| IMP-001 | Incident | | | |
| IMP-002 | Audit | | | |
8. Documentation Requirements
8.1 Retention Schedule
| Document | Retention | Note |
|---|
| Audit reports | 5 years | After audit cycle ends |
| Compliance evidence | 5 years | For regulatory inspections |
| Risk assessments | 5 years | After validity expires |
| Training records | 3 years | After employee departure |
| Meeting minutes | 3 years | |
| Metrics data | 2 years | For trend analysis |
| Category | Tool | Purpose |
|---|
| GRC | OneTrust, ServiceNow | Compliance management |
| SIEM | Splunk, Elastic, Sentinel | Security monitoring |
| Vulnerability | Qualys, Nessus, Tenable | Scanning |
| DLP | Microsoft Purview, Symantec | Data protection |
| PAM | CyberArk, BeyondTrust | Privileged access |
| Training | KnowBe4, Proofpoint | Security awareness |
10. Policy Review
- Monthly: Security metrics review
- Quarterly: Audit findings review, risk register update
- Semi-annually: Policy effectiveness assessment
- Annually: Full policy review + external audit
Next review: Q2 2026