Skip to content
Meridian7 Wiki

Policy Author Quick Start

Document Control Table Template

Section titled “Document Control Table Template”

Copy this exactly at the top of every policy, procedure, or guide under ## Document Control:

## Document Control

| Field | Value |
|-------|-------|
| **Effective Date** | YYYY-MM-DD |
| **Last Reviewed** | YYYY-MM-DD |
| **Owner** | Role (e.g., CISO) |
| **Reviewer** | Role (e.g., CTO) |
| **Classification** | Internal |

### Version History

Version history is derived automatically from git at PDF generation time. For the full change history, see the [commit log](https://github.com/Meridian7-io/m7-security/commits/main/<path-to-file>).

**Classification** | Internal must be the last static row. The PDF generator injects Version, Release, and Commit rows after it automatically.

Workflow

Section titled “Workflow”
  1. Branch — create a branch from main, or use staging for drafts
  2. Edit — update the document; set **Last Reviewed** to today’s date; update **Effective Date** only for material changes
  3. Open PR to main — describe what changed and why
  4. CI validatespolicy-check.yml runs automatically; preview PDFs are generated as build artifacts
  5. Approval@Meridian7-io/security-reviewers must approve via CODEOWNERS; the PR author cannot self-approve
  6. Mergepolicy-release.yml creates a CalVer git tag (YYYY.MM.DD), generates final PDFs, and publishes a GitHub Release

No manual steps required after merge.

CI Checks (fail the PR on violation)

Section titled “CI Checks (fail the PR on violation)”
CheckBehavior
**Owner** present and non-emptyHard fail
**Reviewer** present and non-emptyHard fail
**Last Reviewed** date present (YYYY-MM-DD)Hard fail if missing; warning if not current year
### Version History section existsHard fail
Preview PDF generation succeedsHard fail

CI only validates files changed in the PR.

Key Gotchas

Section titled “Key Gotchas”
  1. Do NOT add a **Version** row. The PDF generator injects it — adding it manually creates a duplicate.
  2. **Classification** | Internal must be the last row in the Document Control table.
  3. The ### Version History section must exist — but do not maintain a manual table. Just include the section header and a one-line note pointing to the commit log.

Local Preview

Section titled “Local Preview”
pip install markdown-pdf
python3 policies/generate-pdfs.py --release DRAFT --commit $(git rev-parse HEAD)

Default output goes to the current directory. Use --output <dir> to specify a different location.

Directory Scope

Section titled “Directory Scope”
DirectoryPurposeExamples
policies/SOC 2 controlled policy documents — auditor-facingInformation Security Policy, Access Control Policy
procedures/Operational runbooks — how to execute policyPolicy Update Procedure, Incident Response Runbook
guides/Checklists, templates, and reference docsOnboarding Checklist, this document

All three directories use the same Document Control format, CI validation, and CODEOWNERS approval requirement.

Meridian Seven — Confidential