iso27001-mcp 0.7.0

package/dist/seed/policy-templates/policy-templates/acceptable_use.md

@@ -0,0 +1,97 @@
+---
+policy_type: acceptable_use
+clause_mappings: ["6.1.2"]
+control_mappings: ["5.10","6.3","6.7","8.1"]
+---
+# Acceptable Use Policy
+
+**Organisation:** {{organisation_name}}
+**Policy ID:** {{policy_id}}
+**Version:** {{version}}
+**Effective Date:** {{effective_date}}
+**Next Review Date:** {{next_review_date}}
+**Owner:** {{owner}}
+**Approver:** {{approver}}
+
+---
+
+## 1. Purpose
+
+This policy defines the acceptable use of information systems, networks, devices, and data owned or managed by {{organisation_name}} to protect these assets and the people who use them.
+
+## 2. Scope
+
+{{scope}}
+
+This policy applies to all personnel (employees, contractors, consultants, and temporary staff) using {{organisation_name}} information systems and assets.
+
+## 3. General Principles
+
+{{organisation_name}}'s information systems are provided for legitimate business purposes. Users must:
+- Use systems responsibly and in accordance with this policy
+- Protect the security and integrity of systems and data
+- Respect the privacy and confidentiality of others' information
+- Comply with all applicable laws and regulations
+
+## 4. Acceptable Use
+
+### 4.1 Business Use
+Information systems may be used for business purposes as required to perform job functions. Incidental personal use is permitted provided it does not:
+- Interfere with business operations or productivity
+- Violate any provision of this policy
+- Create legal or reputational risk for {{organisation_name}}
+
+### 4.2 Internet Use
+Internet access is provided for business purposes. Users must not use the internet to:
+- Access, download, or distribute illegal content
+- Visit websites that are inappropriate for the workplace
+- Download software without IT authorisation
+- Engage in activities that could introduce malware
+- Stream media excessively in ways that impact network performance
+
+### 4.3 Email Use
+- Email is provided for business communication
+- Users must not send sensitive or restricted information via unencrypted email
+- Phishing and spam emails must be reported and not acted upon
+- Automatic email forwarding to external accounts is prohibited without approval
+
+### 4.4 Social Media
+- Personal social media use on company devices or networks during work hours must be minimal
+- Confidential or restricted information must never be shared on social media
+- Personnel must not represent themselves as speaking on behalf of {{organisation_name}} on personal social media without authorisation
+
+## 5. Prohibited Activities
+
+The following activities are strictly prohibited:
+- Accessing systems or data without authorisation
+- Attempting to circumvent security controls
+- Installing unapproved software
+- Sharing passwords or access credentials
+- Transmitting malicious code
+- Using {{organisation_name}} systems for commercial activities unrelated to the business
+- Harassment, discrimination, or other harmful activities using company systems
+- Circumventing monitoring or security logging systems
+- Using company systems for cryptocurrency mining
+
+## 6. Personal Devices (BYOD)
+
+Use of personal devices to access {{organisation_name}} systems is subject to the BYOD Standard. Personal devices must:
+- Be enrolled in the mobile device management (MDM) solution
+- Have approved security software installed
+- Meet minimum security configuration requirements
+- Be subject to remote wipe in the event of loss or theft
+
+## 7. Monitoring
+
+{{organisation_name}} reserves the right to monitor use of its information systems to ensure compliance with this policy. Monitoring may include logging of system access, network traffic inspection, and email monitoring. Users have no expectation of privacy when using {{organisation_name}} systems.
+
+## 8. Compliance
+
+Violations of this policy may result in disciplinary action, up to and including termination of employment or contract. Violations that constitute criminal activity will be referred to law enforcement.
+
+---
+
+**Clause Mappings:** {{clause_mappings}}
+**Control Mappings:** {{control_mappings}}
+
+*Approved by: {{approver}} | Effective: {{effective_date}} | Next Review: {{next_review_date}}*

package/dist/seed/policy-templates/policy-templates/access_control.md

@@ -0,0 +1,92 @@
+---
+policy_type: access_control
+clause_mappings: ["6.1.2","6.1.3"]
+control_mappings: ["5.15","5.16","5.17","5.18","8.2","8.3","8.4","8.5"]
+---
+# Access Control Policy
+
+**Organisation:** {{organisation_name}}
+**Policy ID:** {{policy_id}}
+**Version:** {{version}}
+**Effective Date:** {{effective_date}}
+**Next Review Date:** {{next_review_date}}
+**Owner:** {{owner}}
+**Approver:** {{approver}}
+
+---
+
+## 1. Purpose
+
+This Access Control Policy establishes requirements for controlling access to information systems, applications, networks, and data within {{organisation_name}} to protect against unauthorised access.
+
+## 2. Scope
+
+{{scope}}
+
+## 3. Principles
+
+Access control within {{organisation_name}} is based on the following principles:
+
+- **Least Privilege**: Users are granted the minimum access rights necessary to perform their job functions
+- **Need to Know**: Access to information is restricted to those with a legitimate business need
+- **Default Deny**: Access is denied unless explicitly authorised
+- **Separation of Duties**: Conflicting responsibilities are divided among multiple users
+
+## 4. Access Management Lifecycle
+
+### 4.1 Provisioning
+- All access requests must be submitted through the formal access request process
+- Requests must be authorised by the user's line manager and the relevant system owner
+- Access is granted only after all approvals are obtained and documented
+- New access is provisioned within the agreed service level timeline
+
+### 4.2 Review
+- User access rights shall be reviewed at a minimum of every 12 months
+- Privileged access rights shall be reviewed every 6 months
+- Reviews are conducted by system owners and results documented
+
+### 4.3 Modification
+- Changes to job role or responsibilities require immediate reassessment of access rights
+- Temporary access must have a defined expiry date
+
+### 4.4 Revocation
+- Access shall be revoked immediately upon termination of employment or contract
+- Access shall be adjusted promptly upon change of role
+- {{owner}} maintains a process for emergency access revocation
+
+## 5. Authentication Requirements
+
+- All users must authenticate using a unique user ID and strong password
+- Passwords must meet the complexity requirements defined in the Authentication Standard
+- Multi-factor authentication (MFA) is required for:
+  - Remote access to all systems
+  - Access to privileged accounts
+  - Access to systems containing sensitive or classified information
+- Shared or generic accounts are prohibited except where technically unavoidable, and require compensating controls
+
+## 6. Privileged Access
+
+- Privileged accounts must be separate from standard user accounts
+- Privileged access must be used only for tasks requiring elevated rights
+- All privileged access sessions must be logged
+- Privileged account credentials must be stored in an approved privileged access management solution
+
+## 7. Remote Access
+
+- Remote access to {{organisation_name}} systems requires use of an approved VPN or equivalent secure channel
+- Remote access sessions must authenticate using MFA
+- Remote working devices must comply with the Endpoint Security Standard
+
+## 8. Third-Party Access
+
+- Third-party access must be formally authorised and documented
+- Third parties must be subject to a confidentiality agreement before access is granted
+- Third-party access must be time-limited and reviewed regularly
+- Third-party access activities must be logged and monitored
+
+---
+
+**Clause Mappings:** {{clause_mappings}}
+**Control Mappings:** {{control_mappings}}
+
+*Approved by: {{approver}} | Effective: {{effective_date}} | Next Review: {{next_review_date}}*

package/dist/seed/policy-templates/policy-templates/asset_management.md

@@ -0,0 +1,88 @@
+---
+policy_type: asset_management
+clause_mappings: ["6.1.2"]
+control_mappings: ["5.9","5.10","5.11","5.12","5.13","7.10","8.10"]
+---
+# Asset Management Policy
+
+**Organisation:** {{organisation_name}}
+**Policy ID:** {{policy_id}}
+**Version:** {{version}}
+**Effective Date:** {{effective_date}}
+**Next Review Date:** {{next_review_date}}
+**Owner:** {{owner}}
+**Approver:** {{approver}}
+
+---
+
+## 1. Purpose
+
+This policy defines requirements for identifying, classifying, and protecting information assets owned or managed by {{organisation_name}}.
+
+## 2. Scope
+
+{{scope}}
+
+## 3. Asset Inventory
+
+{{organisation_name}} shall maintain an inventory of all information assets including:
+- **Information assets**: databases, data files, contracts, documentation, research data
+- **Software assets**: applications, system software, development tools
+- **Physical assets**: computers, network equipment, mobile devices, storage media
+- **Services**: cloud services, communications services, IT services
+- **People**: personnel with specialist knowledge
+- **Intangibles**: reputation, brand
+
+The asset inventory shall include: asset name, type, owner, location, classification, and criticality. The inventory shall be reviewed and updated at least annually.
+
+## 4. Asset Ownership
+
+Every asset must have a designated owner who is responsible for:
+- Ensuring the asset is appropriately classified
+- Defining and reviewing access rights for the asset
+- Ensuring appropriate protection is applied
+- Authorising the acceptable use of the asset
+
+## 5. Information Classification
+
+All information shall be classified according to its sensitivity:
+
+| Classification | Description | Handling Requirements |
+|---------------|-------------|----------------------|
+| Public | Information approved for public release | No restrictions on disclosure |
+| Internal | General business information | For internal use only; not for external sharing without approval |
+| Confidential | Sensitive business information | Restricted to those with a need to know; encryption required in transit |
+| Restricted | Highly sensitive information | Strictly controlled access; encryption at rest and in transit required |
+
+## 6. Labelling
+
+Information assets shall be labelled in accordance with their classification. Labelling shall be applied to:
+- Documents and files (headers, footers, watermarks)
+- Emails (classification in subject line or header)
+- Physical media (clear physical labels)
+- Printouts (classification on each page)
+
+## 7. Acceptable Use
+
+Personnel using {{organisation_name}} assets shall:
+- Use assets only for authorised business purposes
+- Not use organisational assets for activities that violate laws or regulations
+- Protect assets from loss, theft, or damage
+- Report any loss or theft of assets immediately to {{owner}}
+
+## 8. Return of Assets
+
+Upon termination of employment or contract, all organisational assets must be returned. The offboarding process includes a formal asset return checklist. Unreturned assets will be subject to the disciplinary process.
+
+## 9. Information Deletion and Disposal
+
+- Information shall be securely deleted when no longer required in accordance with the retention schedule
+- Physical media containing sensitive information shall be securely destroyed or wiped before disposal or re-use
+- Data destruction shall be documented and certified for assets classified Confidential or Restricted
+
+---
+
+**Clause Mappings:** {{clause_mappings}}
+**Control Mappings:** {{control_mappings}}
+
+*Approved by: {{approver}} | Effective: {{effective_date}} | Next Review: {{next_review_date}}*

package/dist/seed/policy-templates/policy-templates/business_continuity.md

@@ -0,0 +1,82 @@
+---
+policy_type: business_continuity
+clause_mappings: ["6.1.2","8.1"]
+control_mappings: ["5.29","5.30","8.13","8.14"]
+---
+# Information Security Business Continuity Policy
+
+**Organisation:** {{organisation_name}}
+**Policy ID:** {{policy_id}}
+**Version:** {{version}}
+**Effective Date:** {{effective_date}}
+**Next Review Date:** {{next_review_date}}
+**Owner:** {{owner}}
+**Approver:** {{approver}}
+
+---
+
+## 1. Purpose
+
+This policy establishes requirements for maintaining information security during business disruptions and ensuring the continuity of critical information systems and data at {{organisation_name}}.
+
+## 2. Scope
+
+{{scope}}
+
+## 3. Business Continuity Objectives
+
+{{organisation_name}} shall maintain information security at an appropriate level during disruption to ensure:
+- Critical information systems can be recovered within defined recovery time objectives (RTOs)
+- Information can be recovered to within defined recovery point objectives (RPOs)
+- Security controls are maintained or compensating controls are applied during disruption
+- Sensitive information is protected throughout the recovery period
+
+## 4. ICT Continuity Planning
+
+### 4.1 Business Impact Analysis
+A Business Impact Analysis (BIA) shall be conducted to identify critical information systems and their RTOs and RPOs. The BIA shall be reviewed annually and when significant changes occur.
+
+### 4.2 Recovery Strategies
+Recovery strategies shall be defined and documented for all critical systems, including:
+- Backup and recovery procedures
+- Alternative processing arrangements
+- Manual workaround procedures where systems are unavailable
+
+### 4.3 Backup Requirements
+- Critical data shall be backed up at a frequency that meets defined RPOs
+- Backups shall be stored in a secure off-site location
+- Backup integrity shall be verified regularly through restoration tests
+- Backup and restoration procedures shall be documented
+
+### 4.4 Redundancy
+Critical information processing facilities shall be implemented with sufficient redundancy to meet availability requirements. Redundancy measures shall be tested regularly.
+
+## 5. Testing and Exercises
+
+Business continuity and ICT recovery plans shall be tested at planned intervals, at least annually, through:
+- Tabletop exercises
+- Technical recovery tests
+- Full failover exercises (for critical systems)
+
+Test results shall be documented and identified improvements shall be tracked to completion.
+
+## 6. Plan Maintenance
+
+Business continuity and ICT recovery plans shall be reviewed and updated:
+- At least annually
+- Following significant changes to systems or infrastructure
+- Following activation of the plan
+- Following changes to identified critical systems or RTOs/RPOs
+
+## 7. Roles and Responsibilities
+
+- **{{owner}}**: Maintains business continuity plans and coordinates exercises
+- **System Owners**: Ensure recovery procedures exist for their systems
+- **All Personnel**: Understand their roles during a business continuity event and follow established procedures
+
+---
+
+**Clause Mappings:** {{clause_mappings}}
+**Control Mappings:** {{control_mappings}}
+
+*Approved by: {{approver}} | Effective: {{effective_date}} | Next Review: {{next_review_date}}*

package/dist/seed/policy-templates/policy-templates/cryptography.md

@@ -0,0 +1,90 @@
+---
+policy_type: cryptography
+clause_mappings: ["6.1.2","6.1.3"]
+control_mappings: ["8.24","5.14","8.5"]
+---
+# Cryptography Policy
+
+**Organisation:** {{organisation_name}}
+**Policy ID:** {{policy_id}}
+**Version:** {{version}}
+**Effective Date:** {{effective_date}}
+**Next Review Date:** {{next_review_date}}
+**Owner:** {{owner}}
+**Approver:** {{approver}}
+
+---
+
+## 1. Purpose
+
+This policy establishes requirements for the effective use of cryptographic controls to protect the confidentiality, integrity, and authenticity of information assets at {{organisation_name}}.
+
+## 2. Scope
+
+{{scope}}
+
+## 3. Approved Algorithms
+
+The following cryptographic algorithms are approved for use within {{organisation_name}}:
+
+### Symmetric Encryption
+- AES-256 (GCM mode preferred for authenticated encryption)
+- AES-128 (acceptable for lower sensitivity data)
+
+### Asymmetric Encryption / Key Exchange
+- RSA: minimum 2048 bits (4096 bits recommended for new implementations)
+- Elliptic Curve Cryptography (ECC): minimum 256-bit curves (P-256, P-384, X25519)
+
+### Hashing
+- SHA-256 or stronger (SHA-2 family, SHA-3 family)
+- HMAC-SHA-256 or stronger for message authentication
+
+### TLS
+- TLS 1.2 minimum; TLS 1.3 preferred
+- Insecure protocols (SSL 2.0/3.0, TLS 1.0/1.1) are prohibited
+
+The following are **prohibited**: MD5 (for security purposes), SHA-1 (for security purposes), DES, 3DES, RC4, export-grade ciphers.
+
+## 4. Use Cases
+
+### 4.1 Data at Rest
+Sensitive and restricted data stored on servers, databases, and portable devices must be encrypted using AES-256. Full-disk encryption is required for all laptops and portable devices.
+
+### 4.2 Data in Transit
+All sensitive data transmitted over public or untrusted networks must be encrypted using TLS 1.2 or higher. VPN tunnels for remote access must use approved protocols.
+
+### 4.3 Email
+Sensitive information transmitted via email must be encrypted. S/MIME or equivalent email encryption shall be used for Confidential or Restricted information.
+
+### 4.4 Code Signing
+Software released by {{organisation_name}} shall be digitally signed using approved signing certificates.
+
+## 5. Key Management
+
+### 5.1 Key Generation
+Cryptographic keys must be generated using approved random number generators and algorithms. Key length must meet minimum requirements specified in Section 3.
+
+### 5.2 Key Storage
+Private keys and symmetric keys must be stored securely, encrypted at rest. Access to key material must be restricted and logged. Approved key management systems or hardware security modules (HSMs) should be used for critical key material.
+
+### 5.3 Key Distribution
+Keys must be distributed through secure channels. Public keys shall be distributed via PKI certificates from trusted Certificate Authorities.
+
+### 5.4 Key Rotation
+- Symmetric keys: rotate at least annually, or upon suspected compromise
+- Asymmetric keys: rotate before expiry; certificates must not be allowed to expire
+- Compromised keys must be immediately revoked and replaced
+
+### 5.5 Key Revocation and Destruction
+Compromised or retired keys must be revoked immediately. Key destruction must be documented. Certificate revocation lists (CRLs) and OCSP must be checked before trusting certificates.
+
+## 6. Certificate Management
+
+{{organisation_name}} shall maintain an inventory of all certificates in use. Certificate expiry shall be monitored, with renewal initiated at least 30 days before expiry. Self-signed certificates are prohibited in production environments.
+
+---
+
+**Clause Mappings:** {{clause_mappings}}
+**Control Mappings:** {{control_mappings}}
+
+*Approved by: {{approver}} | Effective: {{effective_date}} | Next Review: {{next_review_date}}*

package/dist/seed/policy-templates/policy-templates/data_classification.md

@@ -0,0 +1,106 @@
+---
+policy_type: data_classification
+clause_mappings: ["6.1.2"]
+control_mappings: ["5.12","5.13","5.14","8.10","8.11"]
+---
+# Data Classification Policy
+
+**Organisation:** {{organisation_name}}
+**Policy ID:** {{policy_id}}
+**Version:** {{version}}
+**Effective Date:** {{effective_date}}
+**Next Review Date:** {{next_review_date}}
+**Owner:** {{owner}}
+**Approver:** {{approver}}
+
+---
+
+## 1. Purpose
+
+This policy defines the classification of information at {{organisation_name}} to ensure that information assets receive an appropriate level of protection commensurate with their sensitivity and business value.
+
+## 2. Scope
+
+{{scope}}
+
+## 3. Classification Scheme
+
+### Public
+**Definition**: Information that has been approved for public release or that poses minimal risk if disclosed.
+
+**Examples**: Marketing materials, published reports, press releases, publicly available product documentation
+
+**Handling Requirements**:
+- No restrictions on access or distribution
+- May be shared externally without restriction
+- No special disposal requirements
+
+### Internal
+**Definition**: General business information intended for use within {{organisation_name}}. Unauthorised disclosure could cause minor embarrassment or inconvenience.
+
+**Examples**: Internal procedures, general business communications, meeting minutes (non-sensitive), training materials
+
+**Handling Requirements**:
+- Accessible to all {{organisation_name}} personnel
+- Not for sharing externally without approval
+- Dispose of securely (shred physical documents, secure delete electronic files)
+
+### Confidential
+**Definition**: Sensitive business information where unauthorised disclosure could cause significant harm to {{organisation_name}} or individuals.
+
+**Examples**: Financial data, customer data, personnel records, contracts, strategic plans, security policies
+
+**Handling Requirements**:
+- Accessible only to authorised personnel on a need-to-know basis
+- Must be encrypted in transit (TLS) and at rest (AES-256)
+- Physical documents must be stored in locked cabinets
+- Must be clearly labelled with classification
+- External sharing requires authorisation from information owner
+- Dispose of securely (cross-cut shred physical, certified deletion for electronic)
+
+### Restricted
+**Definition**: The most sensitive information where unauthorised disclosure could cause serious harm, regulatory penalties, or significant financial impact.
+
+**Examples**: Authentication credentials, cryptographic keys, personal health information, payment card data, classified government information
+
+**Handling Requirements**:
+- Strictly controlled access; minimum access principle enforced
+- Encryption at rest and in transit mandatory
+- Access logged and monitored
+- Never transmitted via standard email
+- Physical documents in locked secure storage with access log
+- Requires two-person authorisation for access where practical
+- Destruction requires certified data destruction with documentation
+
+## 4. Classification Process
+
+### 4.1 Assigning Classification
+- Information owners are responsible for classifying information they create or manage
+- Classification should be assigned at creation and reviewed when content changes significantly
+- When in doubt, classify at the higher level
+
+### 4.2 Classification Labels
+Electronic files: Include classification in document headers, footers, and file names where practical
+Emails: State classification in the subject line (e.g. [CONFIDENTIAL])
+Physical documents: Mark with classification on the cover page and each page for Confidential and Restricted
+Storage media: Attach physical label clearly indicating classification
+
+### 4.3 Reclassification
+Information may be reclassified by the information owner when the sensitivity level changes. Reclassification must be documented and access controls updated accordingly.
+
+## 5. Handling Rules Summary
+
+| Requirement | Public | Internal | Confidential | Restricted |
+|-------------|--------|----------|--------------|------------|
+| Encryption in transit | No | Recommended | Required | Required |
+| Encryption at rest | No | Recommended | Required | Required |
+| Access control | None | All staff | Need-to-know | Strictly limited |
+| External sharing | Open | With approval | Owner approval + NDA | Senior approval only |
+| Secure disposal | No | Yes | Yes + documented | Yes + certified |
+
+---
+
+**Clause Mappings:** {{clause_mappings}}
+**Control Mappings:** {{control_mappings}}
+
+*Approved by: {{approver}} | Effective: {{effective_date}} | Next Review: {{next_review_date}}*

package/dist/seed/policy-templates/policy-templates/incident_response.md

@@ -0,0 +1,87 @@
+---
+policy_type: incident_response
+clause_mappings: ["6.1.2"]
+control_mappings: ["5.24","5.25","5.26","5.27","5.28","6.8"]
+---
+# Information Security Incident Response Policy
+
+**Organisation:** {{organisation_name}}
+**Policy ID:** {{policy_id}}
+**Version:** {{version}}
+**Effective Date:** {{effective_date}}
+**Next Review Date:** {{next_review_date}}
+**Owner:** {{owner}}
+**Approver:** {{approver}}
+
+---
+
+## 1. Purpose
+
+This policy establishes the framework for detecting, reporting, assessing, responding to, and learning from information security incidents within {{organisation_name}}.
+
+## 2. Scope
+
+{{scope}}
+
+## 3. Definitions
+
+- **Event**: An identified occurrence indicating a possible breach of information security policy or failure of controls
+- **Incident**: An event that has been assessed as having an actual adverse impact on information security
+- **Major Incident**: An incident with significant business impact requiring escalation to senior management
+
+## 4. Incident Classification
+
+| Severity | Description | Response Time |
+|----------|-------------|---------------|
+| Critical | Confirmed breach of sensitive data; significant system compromise; active attack | Immediate (within 1 hour) |
+| High | Suspected breach; significant disruption to critical systems; ransomware | Within 4 hours |
+| Medium | Unauthorised access attempt; malware detection; significant policy violation | Within 24 hours |
+| Low | Minor policy violation; unsuccessful attack; suspicious activity | Within 5 business days |
+
+## 5. Incident Response Process
+
+### 5.1 Detection and Reporting
+All personnel are required to report suspected security events immediately. Reports should be made to {{owner}} via the designated incident reporting channel.
+
+### 5.2 Initial Assessment
+{{owner}} or the designated Incident Response Team (IRT) will assess the reported event within the response time defined for its severity classification.
+
+### 5.3 Containment
+Immediate steps to limit the impact of confirmed incidents, which may include isolating affected systems, revoking compromised credentials, or blocking malicious traffic.
+
+### 5.4 Eradication
+Identifying and eliminating the root cause of the incident, including removing malware, closing vulnerabilities, and resetting compromised credentials.
+
+### 5.5 Recovery
+Restoring affected systems and services to normal operation, verifying that systems are clean and operational.
+
+### 5.6 Post-Incident Review
+A post-incident review shall be conducted for all High and Critical incidents within 14 days of resolution to identify:
+- Root cause and contributing factors
+- Effectiveness of the response
+- Improvements to controls or procedures
+- Lessons learned to be shared
+
+## 6. Evidence Collection
+
+Evidence shall be collected and preserved for all incidents where:
+- Legal or regulatory notification may be required
+- Disciplinary action may result
+- The incident may be referred to law enforcement
+
+Evidence must be handled in accordance with the Evidence Collection Procedure to maintain chain of custody.
+
+## 7. Regulatory Notification
+
+{{organisation_name}} shall notify relevant regulatory authorities of data breaches within the timeframes required by applicable legislation. {{owner}} is responsible for determining notification obligations and managing communications with regulators.
+
+## 8. Communication
+
+All communications regarding incidents shall be coordinated through {{owner}}. Personnel must not discuss incidents with external parties (including media) without explicit authorisation.
+
+---
+
+**Clause Mappings:** {{clause_mappings}}
+**Control Mappings:** {{control_mappings}}
+
+*Approved by: {{approver}} | Effective: {{effective_date}} | Next Review: {{next_review_date}}*