A template for documenting your information security activities.
BEST PRACTICE: Use this page as a template.
This sample template provides guidance for documenting operational activities tied to information security within your organization. It is specific to Trustero’s Curated Content Core Set of Controls (SOC 2). Please review and edit, or replace, this content as appropriate to meet the needs of your business.
Important requirement
When posting on your internal wiki, use this template page as the top-level page.
Trustero Tip: Read this overview and introductory article before beginning this template.
Last reviewed and updated: [date]
Owner: [Full Name]
Responsible Team: [Department/Business Unit Name]
Objective
To document and track the operational activities associated with information security, ensuring continual compliance and risk mitigation, per control IS02 Documented Information Security Operational Activities.
Overview
This documentation has been developed to formally capture the operational activities tied to information security within our organization. It serves as a blueprint for achieving and maintaining continual compliance across various functional areas. The items in the tables below are ranked in order of importance and then grouped per team/assignee.
The operational tasks below are systematically categorized to ensure a comprehensive coverage:
- Compliance - Quarterly & Annual Tasks
- SecOps - Weekly, Quarterly & Annual Tasks
- IT & Vendor Management - Routine & Annual Tasks
- Engineering - Monthly & Annual Tasks
- People Team - Routine & Annual Compliance Tasks
Ongoing Management
To ensure the documentation remains current and effective:
- Review and Update: Conduct at least an annual review and update of all documented operational activities to reflect any changes in practices, regulations, or operational scope.
- Authorization of Changes: All amendments to this documentation must be reviewed and authorized to ensure continued alignment with our information security objectives and compliance requirements.
Note: Following this introduction, the document offers a detailed overview and implementation guide for adopting and customizing this template to your organization's specific needs. This includes a clear outline of tasks, their cadences, and a framework for documenting ownership, notes, and references to supporting documentation.
Compliance - Quarterly & Annual Tasks
Last reviewed and updated: [insert date] By: [full name]
|
Control ID |
Task Name |
Cadence |
Last Review / Action Date |
Owner / Reviewer |
Reviewer Comments |
Links |
|
PC02 |
Quarterly Security Committee Meetings |
Quarterly |
||||
|
IS01 |
Policies Review & Updates |
Annual |
||||
|
IS01 |
Policy Update Communication |
Annual |
||||
|
IS02 |
Documented InfoSec Operational Activities - Review & Update |
Annual |
||||
|
PC01, PC02, MS07 |
System Description Review & Updates |
Annual |
||||
|
IS03 |
Website - Terms of Use & Privacy Policy Review & Updates |
Annual |
||||
|
IAM02, IAM04 |
RBAC Matrix Review & Updates OR User Access Requests (ticket request & approval) |
Annual or as needed, per new hire etc. |
||||
|
IAM05 |
User Access Reviews |
Annual |
SecOps - Weekly, Quarterly & Annual Tasks
Last reviewed and updated: [insert date] By: [full name]
|
Control ID |
Task Name |
Cadence |
Last Review / Action Date |
Owner / Reviewer |
Reviewer Comments |
Link |
|
NS04 |
High-level Architecture Diagram Review & Updates |
Annual |
||||
|
RA01 |
Risk Analysis & Management - Review & Updates |
Annual |
||||
|
VM01 |
vPenTest Report - Schedule & Fix Findings |
Annual |
||||
|
IM03 |
Logging Monitoring and Alerting Config Setup Reviews |
Quarterly |
||||
|
IM01 |
Threat Detection: Review Alerts Requiring Action & Open Tickets Status - [e.g., AWS GuardDuty] |
Weekly |
“Weekly Security Events & Vul Meeting” w/ On Call Engineers |
|||
|
SC03 |
Configuration Monitoring: Review Alerts Requiring Action & Open Tickets Status - [e.g., AWS SecurityHub] |
Weekly |
“Weekly Security Events & Vul Meeting” w/ On Call Engineers |
|||
|
VM02 |
Vulnerability Scan: Review Alerts Requiring Action & Open Tickets Status - [e.g., AWS Inspector] |
Weekly |
“Weekly Security Events & Vul Meeting” w/ On Call Engineers |
|||
|
IM02 |
App Monitoring - Errors and Crashes: Review Alerts Requiring Action & Open Tickets Status - [e.g., Datadog, Grafana] |
Weekly |
“Weekly Security Events & Vul Meeting” w/ On Call Engineers |
IT & Vendor Management - Routine & Annual Tasks
Last reviewed and updated: [insert date] By: [full name]
|
Control ID |
Task Name |
Cadence |
Last Review / Action Date |
Owner / Reviewer |
Reviewer Comments |
Link |
|
SR01 |
Vendor Management - Reviews & Updates |
Annual or per New Vendor |
||||
|
AM04 |
MDM Solution - Monitor / Review Alerts Requiring Action & Open Tickets Status |
Weekly |
||||
|
AM04 |
Laptop Process for Secure Disposal or Wipe for Reuse - Review & Validate Data can’t be recovered |
Annual |
Engineering - On Call & Annual Tasks
Last reviewed and updated: [insert date] By: [full name]
|
Control ID |
Task Name |
Cadence |
Last Review / Action Date |
Owner / Reviewer |
Reviewer Comments |
Link |
|
BC03 |
Data Backup & Disaster Recovery Exercise |
Annual |
||||
|
SC01 |
SSL/TLS Certificates Expiration Date - Review [e.g., AWS ACM] |
Annual |
||||
|
SD01 |
Code SAST & Dependency Scan Alerts & Tickets: Triage & Resolve |
On Call (daily) |
||||
|
IM01 |
Threat Detection Alerts & Tickets: Triage & Resolve [e.g., GuardDuty] |
On Call (daily) |
||||
|
SC03 |
Configuration Monitoring Alerts & Tickets: Triage & Resolve [e.g., AWS SecurityHub] |
On Call (daily) |
||||
|
VM02 |
Vulnerability Scan Alerts & Tickets: Triage & Resolve [e.g., AWS Inspector] |
On Call (daily) |
||||
|
IM02 |
App Monitoring - Errors and Crashes Alerts & Tickets: Triage & Resolve [e.g., Datadog] |
On Call (daily) |
People Team - Routine & Annual Compliance Tasks
Last reviewed and updated: [insert date] By: [full name]
|
Control ID |
Task Name |
Cadence |
Last Review / Action Date |
Owner / Reviewer |
Reviewer Comments |
Link |
|
HR01 |
Organizational Chart Review & Update |
Annual or changes occur |
||||
|
HR05 |
Candidate Evaluation & Job Description - Templates & Guide Review & Update |
Per new role or position |
||||
|
HR Controls, IAM01, IAM06 |
New Hire Onboarding Form - Process Tracking & Completion |
Per new hire |
||||
|
HR04 |
Trustero Policies Acknowledgement |
Annual & per new hire |
||||
|
HR03 |
Employee Performance Evaluation |
Annual |
||||
|
HR06 |
Security Awareness Training |
Annual |
||||
|
AM02, HR07 |
Offboarding Form - Process Tracking & Completion |
Per employee departure |