Field

Instructions

*Short Name

Enter the short name by which the document is generally known or referenced in extra-official publications, using the following syntax whenever possible:

<acronym of the entity who authored it> - <short name of the authoritative document > - <version, when applicable>

For example: ISO/IEC 27001.

The year of publication and language are not part of the short name, since this information is entered in separate fields. The short name, together with the other associated fields (specification, author, reach, language, etc.) should fully identify the authoritative document.

*Authoritative Document Name

Enter the official published name of the authoritative document.

For example: ISO/IEC 27001 20001 – Information technology – Information security management systems – Requirements.

*Description

Enter a brief description, generally found in the presentation, introduction, or preamble of the original document. If the authoritative document is not based on any other published document, write a brief description that cites the objectives and characteristics of the authoritative document.

Entity Responsible

Enter the name of the institution, agency, department, or person that authored or owns the document and generally determines the requirement verification criteria, when it is an external document.

Year of Publication

Enter the year in which the authoritative document was officially published. Use the <YYYY> format. This should be included in the name of the authoritative document when there is no version number.

For example:

COSO - Enterprise Risk Management - Integrated Framework – 2004.

*Language

The available languages are English and Portuguese.

If you want to create a certain document in more than one language, separate documents (one per language) should be prepared and the requirements should be registered in the respective languages.

*Responsible

Enter the username of the person or name of the group of people responsible for the authoritative document. Group names should be preceded by an asterisk.

For example: adam_jones or *ProductionDept

This role is responsible for keeping information on the authoritative document and its requirements up to date and by default receives permission to view and edit authoritative documents to which they were assigned. Note that this person or group must be included in the list of restrictions for this role in the Role Restrictions section of the Administration module, and must also be included in the Knowledge Module Users profile to gain access to the module.

*Type

Indicate the authoritative document type according to its scope, structure and applicability.

Legislation: Documents that are generally managed by the legislative branch (National Congress, Legislative Chamber, City Hall).

Origin: Legislative Branch

For example: the constitution, a decree-law, laws, provisional measures.

Regulation: Documents that are managed by the ministries, regulatory agencies, autarchies, and other agencies.

Origin: the Executive Branch, mostly.

For example: PCI 1.2; EPA Resolution 88.

Code of Practice: Documents created and managed by individuals or corporations who are not part of the government. The code of practice describes recommended best practices.

Origin: Any company that is not from the state (government) or international entities, such as ISO, UN, etc.

Examples of a code of practice: ISO 27002, COBIT 4.1, TPAC (Citigroup), etc.

Policy: Set of basic principles and associated guidelines, formulated by an internal authority and enforced by the governing body of an organization, to direct and limit its actions in pursuit of long-term goals.

Standard: Set of rules that must be respected and that are organized in a model that determines a behavior, conduct or action to be followed. Comprehensive documents, which may include codes of practice or specifications of an organization that are elaborated by governmental entities or standards organizations.

Manual: Documents containing knowledge related to a subject, which explain an operation or execution through instructions. The manual also contains definitions and basic principles about the object it references.

Procedure: A sequential set of actions that allow a goal to be reached. Used in different areas that need tasks to be carried out in a specific order to ensure the correct execution of a process. The procedure defines when each action must be performed and contains a detailed description of all the operations required to perform a task.

Guide: Documents containing information, instructions and advice of various kinds on a given subject, providing practical guidance. A guide is less comprehensive than a manual, focusing more on practical aspects.

Work Instruction: Documents that contain detailed instructions that specify exactly which steps should be taken to perform an activity. A work instruction contains more details than a procedure and is created only if very detailed instructions are required.

Form: A standardized template with specific fields in which information is entered. A form is completed with data and information that allows organizational activities to be registered and controlled, such as data from companies or state institutions.

*Reach

According to the political scope of action of the entity who authored the document, you can choose between:

International: when it includes more than one country;

National: when it includes an entire country, including all the states and cities, without exception;

State: when it includes all the municipalities/cities in that state;

City: when it includes one or more municipalities/cities/districts, but is not characterized as “State”.

*Required

In this field, specify if the document lists mandatory or optional requirements.

Mandatory: when it is legislation, or when fulfillment of the document is determined by the compliance manager or by the person responsible for the organization/agency in question. Generally, not fulfilling it results in losses for the organization, such as financial losses, losses resulting from legal action, or a loss of the quality seal.

Optional: when it is a code of practice that is optional in nature, generally prepared by an independent entity (ISO, ISACA, etc.) or even an internal department. Generally, not complying with the document does not result in directly-associated losses for the organization.

Note: Conditional is not currently in use.

*Specification

This field specifies the market segment (for the sectorial regulations) or economic activities to which the document applies, preferably using the classifications specified by the agency responsible for the location of the document’s applicability. When it is not restricted to a segment or activity, the term “General” should be used.

Authoritative Document ID

This field is used to identify authoritative documents in the system. It does not require completion.

Template Version

Indicates the version of the spreadsheet template being used.

Field

Instructions

*Code

This field is used to allow the items from an authoritative document to be displayed in order. This field should be filled in with numbers only, forming a sequence, using “.” (a period) to separate the levels.

Two zeroes (“00”) must be entered before each number between 1 and 9 in this field (in each part of the code) so that the items are ordered correctly in the system. Insert a zero for numbers between 10 and 99.

For example:

For items from the first level: 001, 008, 010, etc.

For items from the second level: 002.003, 005.010, 012.002, etc.

For items from the third level: 001.005.003, 010.002.011, 005.012.006, etc.

For items from the fourth level: 006.004.010.004, 010.012,006.008, etc.

*Title

This field should be completed with the item code and title, separated according to the standard used in the original document.

The title format should be as follows:

<item code in the documentation> <title description>

There are some standards for filling out this field:

•    When there is a description of an item: this is generally found in codes for national and international practice and in American laws and regulations. In this case, register the item code followed by its title, as found in the document.

The syntax for separating the code and the title is the same as that found in the original documentation, which may be a space, period, hyphen, or other character.

For example:

001 Install and maintain the firewall’s configuration to protect the card bearer’s information

003.003. Competence, awareness, and training

002 – Democratic and collaborative governance

•    When there is no description of an item: register the item code followed by the corresponding text, both separated according to the standard used in the document of origin itself.

•    When it is not certain whether an item contains a description, which is generally true for US legislation and some codes of practice: North American regulations do not necessarily use a unique system as do some others. Some items may not be numbered and may start with the text itself or with a bullet. In these cases – which may also occur with some codes of practice – the entire unnumbered content should be entered in the title of a single item (one line on the spreadsheet).

Description

Enter details or clarification of the item found in the original document. Generally, this is not included in legislation and most regulations, in which case it should be left blank.

Parent Code

This field should contain an exact copy of the code referring to the item that is on the level immediately above the item being created. This field should be left blank for items on the first level.

For example:

Item Code: 005

Parent Code: leave blank

Item Code: 006.002

Parent Code: 006

Item Code: 004.002.001

Parent Code: 004.001

Item Code: 005.010.006.0001

Parent Code: 005.010.006.001

*Level

This field indicates the hierarchical level of the item in the document being registered. For items on the first level (001, 008, 010, etc.), it should be completed with the number 1, those on the second level (002.006, 010.003, 009.012) with the number 2, and so on.

*Type

Specify if the requirement is optional or required in this field. Below are explained some criteria for selecting one of these options:

Required:

•    When the item contains the verb “must” or its variants.

•    When common sense determines it is mandatory, even when the verb “must” or its variants are not used.

•    When the item is determining an action using the future simple tense, such as “the report will be published on A4 paper”, “the signatures on the report will be identified”, etc. In these examples, the paper must be A4 and the signatures must be identified.

Optional:

•    When the item contains the verb “can”, “recommended”, or variants, such as “should”;

•    When interpretation of the item determines it is optional, even if the verb “can” or its variants is not used;

•    When the item is suggesting a certain action, such as “the report should be printed on A4 paper”, “it’s helpful to identify the signatures on the report”, etc. In these cases, both the question of the size of the paper and the identification of the signatures are recommendations and, thus, optional.

Requirement ID

This field is used to identify requirements in the system. It does not require completion.

Delete?

This field should only be used when the authoritative document is being edited. Existing requirements can be marked for deletion and deleted from the system when the spreadsheet is imported.