| accountability |
What the role is accountable for |
| achievement_status |
Current status of objective achievement |
| acknowledgment_required |
Whether acknowledgment is required from personnel |
| action_description |
Description of the action |
| action_items |
Action items from the review |
| action_plan |
Plan for achieving the objective |
| actual_completion_date |
Actual date the action was completed |
| affected_assets |
Assets affected by this risk or incident |
| affected_cia |
CIA properties affected |
| affected_cia_properties |
Which CIA properties are affected (confidentiality, integrity, availability) |
| alert_threshold |
Threshold triggering alerts |
| allocated_to |
What the resource is allocated to |
| allocation_date |
Date the resource was allocated |
| analysis_frequency |
How often analysis is performed |
| analyst |
Person performing analysis |
| applicability_statement |
Statement of policy applicability |
| applicable_assets |
Asset types this control applies to |
| applicable_controls |
Controls related to this policy |
| applicable_threats |
Threats this control addresses |
| approval_workflow |
Workflow for approving risk treatment |
| approved_by |
Person who approved the document |
| approved_date |
Date when the document was approved |
| assessment_criteria |
Criteria for performing risk assessments |
| assessment_date |
Date the assessment was conducted |
| assessment_frequency |
Planned frequency of risk assessments |
| assessment_methodology |
Methodology used for risk assessment |
| assessment_scope |
Scope of the assessment |
| assessor |
Person or team who conducted the assessment |
| asset_custodian |
Custodian responsible for day-to-day protection |
| asset_owner |
Owner of the asset |
| asset_type |
Type of asset |
| assigned_to |
Person(s) assigned to this role |
| attendees |
Attendees of the review |
| audience |
Target audience |
| audit_conclusion |
Overall audit conclusion |
| audit_criteria |
Criteria against which audit is conducted |
| audit_frequency_rationale |
Rationale for audit frequency decisions |
| audit_objectives |
Objectives of the audit |
| audit_period_end |
End date of audit period |
| audit_period_start |
Start date of audit period |
| audit_plan |
Audit plan document reference |
| audit_reference |
Reference identifier for the audit |
| audit_results_summary |
Summary of audit results |
| audit_scope |
Scope of the audit |
| audit_team |
Audit team members |
| audit_type |
Type of audit |
| auditee_representatives |
Representatives from audited areas |
| auditee_response |
Response from the auditee |
| auditor_qualifications |
Required qualifications for auditors |
| author |
Person who created the document |
| authorities |
Authorities granted to the role |
| availability_status |
Current availability of the resource |
| awareness_program |
Reference to the awareness program |
| awareness_topics |
Topics covered in awareness program |
| categorized_as_incident |
Whether the event was categorized as an incident |
| certification_body |
Accredited certification body |
| certification_date |
Date certification was achieved |
| certification_status |
Current certification status |
| change_control_requirements |
Requirements for controlling changes |
| classification |
Information classification level |
| clause_reference |
Reference to standard clause |
| climate_change_relevant |
Whether climate change has been determined to be a relevant issue for the org... |
| closure_date |
Date the finding was closed |
| closure_datetime |
Date and time of incident closure |
| closure_evidence |
Evidence supporting closure |
| closure_status |
Status of finding closure |
| commitment_statements |
Statements of commitment included in the policy |
| communication_date |
Date when the policy was communicated |
| communication_items |
Communication items in the plan |
| communication_needs |
Communication requirements for this party |
| communication_plan |
Reference to the communication plan |
| competence_records |
Competence records for personnel |
| competency_assessment_date |
Date of last competency assessment |
| competency_gaps |
Identified competency gaps |
| completion_date |
Date when implementation was completed |
| completion_tracking |
How completion is tracked |
| consequences_addressed |
How consequences were dealt with |
| contact_information |
Contact details for the party |
| containment_actions |
Actions to contain the incident |
| context_changes |
Changes in context since last review |
| context_external_issues |
External issues relevant to ISMS per 4 |
| context_internal_issues |
Internal issues relevant to ISMS per 4 |
| control_category |
Domain category of the control |
| control_id |
Control identifier from Annex A (e |
| control_measures |
Control measures implemented |
| control_owner |
Person responsible for the control |
| control_reference |
Reference to the control (e |
| control_selection_criteria |
Criteria for selecting controls |
| control_text |
Organization-authored control statement or external control summary |
| control_title |
Title of the control |
| controls |
Security controls applied in the ISMS |
| controls_to_implement |
Controls to be implemented as part of treatment |
| corrective_actions |
Corrective actions |
| cost |
Cost of the resource |
| created_date |
Date when the entity was created |
| criticality |
Criticality rating of the asset |
| current_value |
Current measured value |
| decisions |
Decisions made in the review |
| delegation_rules |
Rules for delegating responsibilities |
| delivery_methods |
Methods used to deliver awareness content |
| description |
Detailed description of the entity |
| detected_by |
Person or process that detected the nonconformity |
| detection_date |
Date the nonconformity was detected |
| detection_method |
How the incident was detected |
| development_actions |
Actions to address competency gaps |
| document_reference |
Unique reference number for document control |
| document_type |
Classification of the documented information |
| documented_information_register |
Register of documented information |
| education_records |
Education qualifications |
| effective_date |
Date when the document becomes effective |
| effectiveness_criteria |
Criteria for evaluating effectiveness |
| effectiveness_measures |
How effectiveness is measured |
| effectiveness_rating |
Rating of control effectiveness |
| effectiveness_review_date |
Date effectiveness was reviewed |
| effectiveness_verified |
Whether effectiveness was verified |
| employee_count |
Approximate number of employees |
| eradication_actions |
Actions to eradicate the cause |
| event_datetime |
Date and time of the event |
| event_description |
Description of the event |
| evidence_collected |
Evidence collected |
| evidence_references |
References to evidence of implementation |
| exclusion_justification |
Justification for excluding the control |
| existing_controls |
Controls currently in place affecting this risk |
| expected_benefit |
Expected benefit from implementation |
| experience_records |
Relevant experience |
| finding_description |
Description of the finding |
| finding_type |
Type of audit finding |
| findings |
Audit findings |
| frequency |
Frequency of the activity |
| geographic_locations |
Countries or regions where the organization operates |
| id |
Unique identifier for the entity |
| identification_date |
Date identified |
| identified_by |
Person who identified it |
| immediate_actions |
Immediate actions taken to control/correct |
| impact |
Assessed impact if risk materializes |
| impact_scale |
Scale used for impact rating |
| implementation_date |
Date the control was implemented |
| implementation_evidence |
Evidence of control implementation |
| implementation_guidance |
Organization-authored implementation notes for the control |
| implementation_plan |
Plan for implementing the improvement |
| implementation_status |
Current implementation status |
| implementation_timeline |
Timeline for implementation |
| implemented_count |
Number of implemented controls |
| improvement_description |
Description of the improvement |
| improvement_opportunities |
Opportunities for improvement identified |
| improvement_source |
Source of the improvement opportunity |
| improvements |
Improvement opportunities tracked |
| incident_category |
Category of incident |
| incident_datetime |
Date and time the incident occurred or was detected |
| incident_description |
Description of the incident |
| inclusion_justification |
Justification for including the control |
| industry_sector |
Primary industry sector of the organization |
| information_security_policy |
Reference to the information security policy |
| inherent_risk_level |
Risk level before controls are applied |
| initial_assessment |
Initial assessment of the event |
| interested_parties |
Stakeholders relevant to the ISMS |
| interested_party_changes |
Changes in interested party requirements |
| internal_audits |
Internal audit instances |
| is_applicable |
Whether the control is applicable |
| isms_changes_required |
Changes to ISMS required as a result |
| last_review_date |
Date of last review |
| last_test_date |
Date the control was last tested |
| lead_auditor |
Lead auditor for the audit |
| legal_name |
Legal registered name of the organization |
| lessons_learned |
Lessons learned from the incident |
| likelihood |
Assessed likelihood of risk occurrence |
| likelihood_scale |
Scale used for likelihood rating |
| linked_corrective_action |
Corrective action linked to this finding |
| linked_corrective_actions |
Corrective actions addressing this nonconformity |
| linked_incident |
Linked incident if categorized |
| linked_nonconformity |
Nonconformity this action addresses |
| location |
Physical or logical location |
| management_reviews |
Management review instances |
| measurement_frequency |
How often measurement is performed |
| measurement_method |
Method used to measure the metric |
| method |
Method of communication |
| methodology_used |
Specific methodology applied in this assessment |
| metric_definition |
Definition of how the objective is measured |
| metric_description |
Description of what is measured |
| metric_name |
Name of the metric |
| modified_date |
Date when the entity was last modified |
| monitoring_items |
Items to be monitored |
| monitoring_program |
Reference to the monitoring program |
| name |
Human-readable name or title |
| next_assessment_date |
Planned date for next assessment |
| next_review_date |
Planned date for next review |
| nonconformities |
Nonconformities identified |
| nonconformity_description |
Description of the nonconformity |
| nonconformity_source |
Source of nonconformity detection |
| not_applicable_count |
Number of controls marked not applicable |
| notification_required |
Whether notification to authorities/parties was required |
| notifications_made |
Notifications that were made |
| objective_evidence |
Evidence supporting the finding |
| objective_statement |
Clear statement of the objective |
| objectives |
Information security objectives |
| operational_procedures |
Operational procedures |
| organization |
Reference to the organization operating the ISMS |
| organization_type |
Type of organization (e |
| outcome_assessment |
Assessment of actual outcomes |
| owner |
Person accountable for the document content and maintenance |
| parent_organization |
Parent organization if applicable |
| parent_policy |
The parent policy this topic-specific policy supports |
| party_type |
Category of interested party |
| performance_trends |
Trends in information security performance |
| person_name |
Name of the person |
| person_role |
Role of the person |
| plan_scope |
Scope of the plan |
| planned_audits |
Audits planned in this programme |
| planned_count |
Number of controls planned for implementation |
| policy_objectives_framework |
Framework for setting information security objectives |
| policy_statement |
The core policy statement text |
| positive_observations |
Positive observations noted |
| post_incident_review |
Post-incident review findings |
| previous_actions_status |
Status of actions from previous reviews |
| priority |
Priority level |
| procedure_scope |
Scope of the procedure |
| process_criteria |
Criteria established for the process |
| programme_period |
Period covered by the audit programme |
| programme_status |
Current status of the programme |
| purpose |
Purpose of the communication |
| quantity |
Quantity of the resource |
| recertification_date |
Date recertification is due |
| recommendations |
Recommendations from the assessment |
| recommended_action |
Recommended action to address finding |
| records_required |
Whether records are required |
| recovery_actions |
Actions to recover normal operations |
| regulatory_jurisdictions |
Jurisdictions whose regulations apply to the organization |
| related_controls |
Other controls related to this one |
| related_risks |
Associated risks |
| related_topic_policies |
Topic-specific policies supporting this policy |
| related_treatment_plan |
Risk treatment plan addressing this risk |
| relationship |
Nature of the relationship with the organization |
| report_date |
Date the report was issued |
| report_distribution |
Distribution list for the report |
| reporter |
Person who reported the event |
| reporting_line |
To whom this role reports |
| required_competencies |
Competencies required for the role |
| requirement_violated |
Requirement that was not fulfilled |
| requirements |
Requirements of the interested party |
| residual_risk_acceptance |
Documentation of residual risk acceptance |
| residual_risk_level |
Risk level after controls are applied |
| resource_requirements |
Resource requirements for the programme |
| resource_type |
Type of resource |
| resources |
Resources provided for the ISMS |
| resources_required |
Resources required for implementation |
| response_actions |
Actions taken in response |
| responsibilities |
Responsibilities assigned to the role |
| responsible_parties |
Parties responsible for implementation |
| responsible_party |
Party responsible for the activity |
| responsible_role |
Role responsible for the objective or control |
| responsible_roles |
Roles responsible for the procedure |
| retention_period |
Duration for which the document is retained |
| review_date |
Date when the document is due for review |
| risk_acceptance_criteria |
Criteria for accepting risks |
| risk_assessment_process |
Reference to the risk assessment process |
| risk_assessment_results |
Results of risk assessment |
| risk_assessments |
Risk assessment instances |
| risk_implication |
Risk implications of the finding |
| risk_matrix |
Risk matrix or calculation method |
| risk_owner |
Person accountable for managing the risk |
| risk_owner_approval |
Risk owner who approved the plan |
| risk_source |
Source or origin of the risk |
| risk_treatment_option |
Selected treatment option for the risk |
| risk_treatment_plans |
Risk treatment plans |
| risk_treatment_process |
Reference to the risk treatment process |
| risks_addressed |
Risks addressed by this plan |
| risks_identified |
Risks identified in this assessment |
| role_type |
Category of the role |
| roles |
Information security roles defined in the ISMS |
| root_cause |
Root cause of the nonconformity |
| root_cause_addressed |
Root cause this action addresses |
| root_cause_analysis |
Analysis of root cause |
| scope_boundaries |
Defined boundaries of the ISMS scope |
| scope_exclusions |
Any exclusions from scope with justification |
| scope_statement |
Documented statement of ISMS scope per 4 |
| severity |
Severity rating |
| similar_nonconformities_check |
Check for similar nonconformities elsewhere |
| size_category |
Organization size classification |
| soa_entries |
Individual control entries in the SoA |
| soa_template |
Template used for Statement of Applicability |
| statement_of_applicability |
Reference to the Statement of Applicability |
| status |
Current status of the document or entity |
| subject |
Subject of the communication |
| subsidiaries |
Subsidiary organizations if applicable |
| summary_findings |
Summary of assessment findings |
| target_audience |
Intended audience for the policy or document |
| target_completion_date |
Target date for completing the action |
| target_date |
Target date for achieving the objective |
| target_implementation_date |
Target date for implementing the control |
| target_threshold |
Target threshold value |
| target_value |
Target value for the objective metric |
| threat_description |
Description of the threat exploiting the vulnerability |
| topic_area |
The specific topic addressed by the policy |
| total_controls |
Total number of controls in scope |
| trading_names |
Names under which the organization conducts business |
| training_records |
Training completed |
| treatment_actions |
Actions to be taken for treatment |
| treatment_options_guidance |
Guidance on selecting treatment options |
| treatment_priority |
Priority for treating this risk |
| trend |
Current trend direction |
| trigger_events |
Events that trigger risk assessment outside planned schedule |
| version |
Version identifier for the entity |
| vulnerability_description |
Description of the vulnerability that could be exploited |