Policy Update Procedure
Applies to all documents in Meridian7-io/m7-security: policies (policies/), procedures (procedures/), and guides (guides/).
Review Schedule
Section titled “Review Schedule”| Review Type | Frequency | Owner |
|---|---|---|
| Annual review | Every 12 months from effective date | Policy owner |
| Triggered review | After significant incident, org change, or regulatory update | CISO |
| Ad-hoc update | As needed for corrections or clarifications | Policy owner |
Update Process
Section titled “Update Process”Step 1 — Edit on Staging
Section titled “Step 1 — Edit on Staging”- Switch to
stagingbranch inm7-security. - Edit the policy markdown file(s).
- Update Last Reviewed to today.
- Update Effective Date if this is a material change.
- Add a new row to Version History describing the change.
- Commit and push to
staging.
Step 2 — Open Pull Request
Section titled “Step 2 — Open Pull Request”- Open a PR from
staging→main. - Fill in the change summary and impact assessment.
- CI automatically validates: Owner/Reviewer fields present, Last Reviewed is current, Version History section exists. CI also generates preview PDFs as PR artifacts.
Step 3 — Review and Approval
Section titled “Step 3 — Review and Approval”- A reviewer other than the PR author must approve — branch protection enforces this.
- Reviewer: download and review preview PDFs from CI artifacts; verify consistency with related policies; confirm PR description accurately describes the change.
Step 4 — Automatic Publishing
Section titled “Step 4 — Automatic Publishing”On merge to main, GitHub Actions automatically:
- Creates the next Git tag.
- Generates final PDFs with version, commit SHA, and repository injected.
- Creates a GitHub Release with PDFs attached.
No manual steps required after merge.
Step 5 — Distribute
Section titled “Step 5 — Distribute”- Notify all personnel of material changes via Slack
#general. - For new policies or significant changes, require re-acknowledgment within 30 days.
- Update linked GitHub issues on the SOC 2 project board if the change relates to control work.
Version System
Section titled “Version System”Versions are GitHub Release tags created automatically on each merge to main. Version numbers are never manually maintained in source markdown — injected into PDFs at generation time.
| Concept | Mechanism |
|---|---|
| Version number | Git tag (auto-incremented) |
| Change justification | Pull Request description |
| Approval record | PR review approval (non-author) |
| Audit trail | Git commit history + GitHub Releases |
| Published artifact | PDF attached to GitHub Release |
Every published PDF contains Version, Commit SHA, and Repository in its Document Control table, traceable to the exact source, PR, and approval.
Storage Locations
Section titled “Storage Locations”| Artifact | Location |
|---|---|
| Source markdown (authoritative) | policies/*.md |
| Procedures | procedures/*.md |
| Guides | guides/*.md |
| Published PDFs | GitHub Release attachments |
| Browsable policies | GitHub Pages (m7-security) |
| PDF generator | policies/generate-pdfs.py |
| Branch | Purpose | Protection |
|---|---|---|
main | Production — published policies | PR required, non-author approval, signed commits |
staging | Draft changes | Open for direct push |
Meridian Seven — Confidential