ISO 27001:2022 Clause 7.5 Documented information

ISO 27001:2022 26 Minutes

7.5.1 General

The organization’s information security management system shall include:

  1. documented information required by this document; and
  2. documented information determined by the organization as being necessary for the effectiveness of the information security management system.

NOTE The extent of documented information for an information security management system can differ from one organization to another due to:
1] the size of organization and its type of activities, processes, products and services;
2] the complexity of processes and their interactions; and
3] the competence of persons.

7.5.2 Creating and updating

When creating and updating documented information the organization shall ensure appropriate:

  1. identification and description (e.g. a title, date, author, or reference number);
  2. format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
  3. review and approval for suitability and adequacy.

7.5.3 Control of documented information

Documented information required by the information security management system and by this document shall be controlled to ensure:
a] it is available and suitable for use, where and when it is needed; and
b] it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
For the control of documented information, the organization shall address the following activities, as applicable:
c] distribution, access, retrieval and use;
d] storage and preservation, including the preservation of legibility;
e] control of changes (e.g. version control); and
f] retention and disposition.
Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled.
NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc.

The organization’s information security management system shall include documented information required by ISO 27001 standard and those determined by the organization as being necessary for the effectiveness of the information security management system

The ISO 27001 standard emphasizes the importance of a flexible approach to documentation, acknowledging that organizations have unique needs and contexts. Here’s a breakdown of how this principle is applied:

  1. Documented Information Required by ISO 27001: The organization must include specific documented information as required by the ISO 27001 standard. This includes documents such as the Information Security Policy, the Statement of Applicability, the Risk Assessment and Treatment Methodology, and other items stipulated in the standard.
  2. Organization’s Determination of Necessary Documentation: In addition to the documents explicitly required by ISO 27001, the organization is responsible for determining what other documents and records are necessary for the effective implementation and maintenance of its Information Security Management System (ISMS). This determination is often based on factors such as the organization’s size, structure, risk profile, and the nature of its information assets.
  3. Flexibility and Tailoring: ISO 27001 encourages a risk-based and flexible approach to documentation. Organizations are not expected to create unnecessary paperwork but rather to tailor their documentation to meet their specific needs. The organization should consider what documentation is practical and adds value to the ISMS.
  4. Balancing Compliance and Effectiveness: While compliance with ISO 27001 requirements is essential, the organization should balance this with the practicality and effectiveness of its ISMS. The documented information should serve as a tool to manage information security risks, communicate policies and procedures, and provide evidence of the ISMS’s effectiveness.
  5. Continuous Improvement: ISO 27001 emphasizes the need for continual improvement. As part of this process, the organization should regularly review and update its documented information to ensure its relevance and effectiveness in addressing information security risks.

The organization’s Information Security Management System (ISMS) should include both the documented information required by ISO 27001 and additional documentation determined by the organization as necessary for the effectiveness of the ISMS. This approach ensures that the ISMS is not only compliant with the standard but also tailored to the organization’s unique requirements and conducive to effective information security management.

The extent of documented information for an information security management system can differ from one organization to another due to the size of organization and its type of activities, processes, products and services; the complexity of processes and their interactions; and the competence of persons.

This point capture the essence of the flexible approach advocated by ISO 27001 regarding the extent of documented information for an Information Security Management System (ISMS). Let’s delve into each aspect:

  1. Size of the Organization and its Type of Activities, Processes, Products, and Services: Smaller organizations may have simpler structures and operations, and therefore may require less extensive documentation. The nature of the organization’s activities, processes, products, and services also plays a significant role. For example, an organization handling sensitive customer data may need more robust documentation than an organization with less critical information.
  2. Complexity of Processes and Their Interactions: Organizations with intricate processes and numerous interactions between different components may require more detailed and extensive documentation. The complexity of processes can vary widely, and the level of documentation should be proportional to the intricacy of these processes. Documented information helps ensure that processes are clearly defined, understood, and controlled.
  3. Competence of Persons: The competence of individuals within the organization influences the extent of documented information needed. If the workforce is highly skilled and experienced, some processes might be well-executed without extensive documentation. On the other hand, if there are varying levels of competence or frequent turnover, more detailed documentation might be necessary to maintain consistency and effectiveness in the implementation of information security controls.
  4. Risk Profile: The organization’s risk profile is a crucial factor. Higher-risk environments may require more documentation to ensure that risks are properly identified, assessed, and mitigated. Conversely, organizations with lower risk thresholds may have a lighter documentation burden, but the documentation should still be sufficient to demonstrate compliance with ISO 27001 requirements.
  5. Organizational Culture and Management Style: The culture and management style of an organization can influence the extent of documented information. Some organizations may have a preference for detailed documentation to provide clarity and structure, while others may emphasize a more streamlined and agile approach.
  6. Regulatory and Legal Requirements: The industry and geographical location of the organization can introduce additional regulatory and legal requirements. Compliance with these external obligations may necessitate specific documentation to demonstrate conformity.

ISO 27001 recognizes these variations and encourages organizations to adopt a risk-based and pragmatic approach to documentation. The goal is to have the right amount of documented information to support effective information security management without creating unnecessary bureaucratic burdens. This flexibility allows organizations to tailor their ISMS documentation to their unique circumstances and needs.

Creating and updating Documented Information

Creating and updating documented information for an Information Security Management System (ISMS) is a crucial aspect of ISO 27001 compliance. The process should be systematic, controlled, and aligned with the organization’s information security objectives. Here’s a general guideline on how an organization can create and update documented information:

  1. Establish a Documented Information Management Process: Define a process for creating, reviewing, approving, and updating documented information. This process should outline responsibilities, authorities, and the sequence of steps involved.
  2. Identify and Document Information Needs: Identify the types of documented information required based on ISO 27001 requirements and the organization’s internal needs. This may include policies, procedures, plans, records, and other relevant documents.
  3. Determine the Format and Medium: Decide on the format and medium for documented information. This could be electronic or paper-based, depending on the organization’s preferences and the nature of the information.
  4. Assign Responsibilities: Clearly define roles and responsibilities for creating, reviewing, approving, and updating documented information. Ensure that relevant personnel are aware of their roles and are competent to fulfill their responsibilities.
  5. Involve Stakeholders: Involve relevant stakeholders in the creation and updating process. This includes input from different departments, employees, and, where applicable, external parties.
  6. Risk-Based Approach:Adopt a risk-based approach to determine the level of detail and documentation needed. Focus on areas with higher risks and critical processes that require clear guidance.
  7. Document Control:Implement a document control system to manage versions, access, and distribution of documented information. This ensures that the right people have access to the latest and approved versions.
  8. Review and Approval:Establish a review and approval process for new and updated documented information. This ensures that the content is accurate, relevant, and aligned with the organization’s objectives.
  9. Training and Awareness:Provide training to employees on the use and understanding of documented information. Ensure that personnel are aware of the importance of following documented processes.
  10. Record Keeping:Maintain records of changes, reviews, and approvals. This includes documenting the rationale for changes and the individuals involved in the process.
  11. Continuous Improvement:Regularly review the effectiveness of the documented information management process. Seek feedback from users, monitor changes in the organization’s context, and update documented information accordingly.
  12. Compliance with Legal and Regulatory Requirements:Ensure that the creation and updating of documented information comply with relevant legal and regulatory requirements, as well as contractual obligations.
  13. Communication:Communicate changes in documented information to relevant stakeholders. This may involve training sessions, announcements, or other communication methods.
  14. Periodic Reviews:Schedule periodic reviews of documented information to ensure its continued relevance and effectiveness. This is particularly important in the context of the management review process.
  15. Documented Information Security:Apply information security controls to protect the confidentiality, integrity, and availability of documented information. This includes access controls and encryption, especially for sensitive information.
  16. Tools and Technology:Leverage document management tools and technology to streamline the creation, update, and control of documented information.
  17. Feedback Mechanism:Establish a feedback mechanism to capture input from users and stakeholders regarding the usability and effectiveness of documented information.
  18. Integration with Business Processes:Integrate the creation and updating of documented information with relevant business processes to ensure seamless and efficient operations.

By following these steps, an organization can create and update documented information in a controlled and effective manner, supporting the implementation and continual improvement of its Information Security Management System.

When creating and updating documented information the organization shall ensure identification and description (e.g. a title, date, author, or reference number);

The identification and description of documented information are crucial elements to ensure clarity, traceability, and effective management within an Information Security Management System (ISMS). Including information such as a title, date, author, or reference number is essential for several reasons:

  1. Clarity and Understanding: A clear and descriptive title helps users understand the purpose and content of the document. It provides context and ensures that the document is easily recognizable and distinguishable from others.
  2. Version Control: Including a date is essential for version control. It helps users identify the latest version of a document and ensures that they are working with the most up-to-date information.
  3. Authorship Information: Including the author’s name or identifier adds accountability and transparency. Users can know who is responsible for the document’s content and can seek clarification if needed.
  4. Reference Number or Code: Assigning a unique reference number or code to a document aids in organization and retrieval. It simplifies the process of searching for, referencing, and managing documents within the ISMS.
  5. Audit Trail and Traceability: The identification information creates an audit trail, enabling traceability of changes and updates to the document over time. This is crucial for maintaining the integrity and reliability of the documented information.
  6. Compliance Requirements: Many standards, including ISO 27001, may require certain identification and description elements for documented information. Including this information helps demonstrate compliance with these requirements.
  7. Ease of Navigation: A well-structured and clearly identified document facilitates ease of navigation within the ISMS. Users can quickly locate and access the information they need.
  8. Communication and Collaboration: Identification and description elements support effective communication and collaboration. Team members, stakeholders, and auditors can easily understand the context and relevance of the documented information.
  9. Legal and Regulatory Compliance: In some cases, legal or regulatory requirements may mandate the inclusion of specific identification information in certain types of documents. Ensuring compliance with such requirements is important.

When creating and updating documented information, organizations should establish and enforce a standardized approach to include these identification and description elements. This can be part of the organization’s document control procedures, ensuring consistency and compliance across the ISMS documentation. By doing so, the organization enhances the usability, reliability, and overall effectiveness of its documented information.

When creating and updating documented information the organization shall ensure format (e.g. language, software version, graphics) and media (e.g. paper, electronic)

Considering the format (e.g., language, software version, graphics) and media (e.g., paper, electronic) when creating and updating documented information is essential for effective communication, usability, and preservation of information within an Information Security Management System (ISMS). Here are key considerations:

Format:

  1. Language: Clearly specify the language in which the document is written. This is crucial for ensuring that the intended audience can understand and interpret the content accurately.
  2. Software Version: If the documented information is created or stored using specific software, indicate the software version. This helps ensure compatibility and allows users to know the tools required for accessing or editing the document.
  3. Graphics and Visual Elements: Clearly define the format and standards for any graphics, charts, or visual elements included in the documented information. This ensures consistency and clarity in conveying information.
  4. Consistent Formatting: Establish and maintain a consistent formatting style across all documented information. This includes font styles, sizes, headings, and other formatting elements to enhance readability and professionalism.

Media:

  1. Paper vs. Electronic: Clearly specify whether the documented information is in paper or electronic format. This is important for storage, distribution, and retrieval considerations.
  2. Electronic Format Considerations: If the information is in electronic format, specify the file type and version compatibility. Consider the longevity of the file format to ensure that the information remains accessible over time.
  3. Access Controls for Electronic Documents: For electronic documents, implement access controls to restrict and manage who can view, edit, or modify the information. This is crucial for maintaining the confidentiality and integrity of sensitive information.
  4. Backup and Recovery: Consider the backup and recovery mechanisms for electronic documents. Regularly back up critical information to prevent data loss and ensure business continuity.
  5. Preservation of Paper Documents: If documents are in paper format, establish measures for their preservation. This includes protection from environmental factors (e.g., moisture, sunlight) and secure storage to prevent damage or loss.
  6. Conversion Processes: If there are processes for converting documents between different media or formats, document these processes to ensure accuracy and consistency during conversions.
  7. Usability Across Devices: Ensure that electronic documents are formatted to be usable across various devices (computers, tablets, mobile devices) without compromising readability or functionality.
  8. Compliance with Legal and Regulatory Requirements: Consider any legal or regulatory requirements related to the format and media of documented information. Certain industries or jurisdictions may have specific standards that need to be adhered to.

By paying attention to the format and media considerations, organizations can enhance the accessibility, usability, and longevity of their documented information. This, in turn, contributes to the effectiveness of the Information Security Management System and helps meet the requirements of standards such as ISO 27001.

When creating and updating documented information the organization shall ensure review and approval for suitability and adequacy

Ensuring the review and approval of documented information for suitability and adequacy is a fundamental part of the document control process within an Information Security Management System (ISMS). This practice helps maintain the integrity, quality, and effectiveness of the documented information. Here’s how organizations can ensure this review and approval process:

Review for Suitability and Adequacy:

  1. Establish Review Criteria: Define specific criteria that the documented information must meet. This may include alignment with ISO 27001 requirements, accuracy, relevance, clarity, and consistency.
  2. Identify Reviewers: Clearly identify individuals or roles responsible for reviewing the documented information. Ensure that these reviewers have the necessary expertise and understanding of the content.
  3. Document Review Process: Outline a formal process for conducting reviews. This process should detail how reviews are initiated, conducted, documented, and communicated.
  4. Scheduled Reviews: Schedule regular reviews of documented information, especially in the context of changes in the organization, technology, or regulatory landscape. This ensures that the information remains up-to-date and effective.
  5. Incorporate Feedback: Encourage a collaborative approach by seeking input and feedback from relevant stakeholders. This can include subject matter experts, end-users, and individuals affected by the documented information.
  6. Risk-Based Approach: Apply a risk-based approach to reviews, prioritizing documents with higher impact on information security and critical business processes.
  7. Documented Information Change Control: Integrate the review process into the organization’s change control procedures. Ensure that changes to documented information trigger a review to assess their suitability and adequacy.

Approval for Suitability and Adequacy:

  1. Define Approval Authority: Clearly define the authority responsible for approving documented information. This is typically a management-level role with the authority to ensure that the information aligns with the organization’s objectives.
  2. Document Approval Process: Outline a formal process for obtaining approvals. Specify the steps involved, the individuals or roles responsible for granting approval, and any required documentation or sign-off.
  3. Sequential Approval Process: Consider implementing a sequential approval process where the document moves through defined levels of management for approval. This helps ensure that multiple perspectives are considered.
  4. Electronic Approval Workflow: If using electronic document management systems, leverage approval workflow functionalities to streamline and automate the approval process. This can enhance efficiency and accountability.
  5. Approval Recordkeeping: Maintain records of approvals, including the names of approvers, dates of approval, and any comments or conditions associated with the approval.
  6. Communicate Approval: Communicate the approval status to relevant stakeholders. Ensure that all users are aware when a documented information item has been approved for use.
  7. Continuous Monitoring: Implement a system for continuous monitoring to ensure that approved documented information remains suitable and adequate over time. This may involve periodic re-evaluations.

Documented information required by the information security management system and by this document shall be controlled

Control of documented information is a critical aspect of managing an effective Information Security Management System (ISMS) and is a key requirement outlined in the ISO 27001 standard. Document control ensures the integrity, availability, and confidentiality of information within the organization. Here are some key principles and steps in controlling documented information:

Principles of Document Control:

  1. Access Control: Limit access to documented information to authorized personnel. This helps prevent unauthorized access, modifications, or use of sensitive information.
  2. Version Control: Implement version control to manage changes to documented information. Ensure that the most current and approved version is readily accessible to users.
  3. Distribution Control: Manage the distribution of documented information to ensure that it reaches the intended audience. This may involve controlling electronic access or distributing physical copies securely.
  4. Retrieval and Use: Ensure that documented information is easily retrievable by those who need it. This includes providing access to the information in a timely and efficient manner.
  5. Preventing Unintended Changes: Implement measures to prevent unintended changes to documented information. This may involve restricting editing permissions to authorized personnel only.

Steps in Controlling Documented Information:

  1. Establish Documented Information Control Procedures: Develop and implement procedures that outline the steps involved in controlling documented information. These procedures should cover creation, review, approval, distribution, access control, and version control.
  2. Document Identification: Clearly identify and label each document. Include a title, date, version number, and any other relevant information for easy identification.
  3. Document Storage: Determine where and how documented information will be stored. This could be physical filing systems, electronic document management systems, or a combination of both.
  4. Access Control Measures: Implement access controls to ensure that only authorized personnel have access to certain types of documented information. This is particularly important for sensitive or confidential documents.
  5. Versioning: Clearly define the versioning system for documents. Ensure that changes are tracked, and users can easily identify the latest version of a document.
  6. Change Control Process: Establish a change control process to manage modifications to documented information. This should include a review and approval process before changes are implemented.
  7. Training and Awareness: Train personnel on document control procedures and the importance of adhering to them. Foster awareness about the significance of controlled documented information in maintaining information security.
  8. Regular Audits and Inspections: Conduct regular audits and inspections to ensure that document control procedures are being followed. This helps identify and correct any deviations or non-compliance.
  9. Backups: Regularly backup electronic documented information to prevent data loss due to unforeseen events such as hardware failures, cyber-attacks, or accidental deletions.
  10. Periodic Review: Implement a periodic review process to assess the continued relevance and effectiveness of documented information. Update documents as necessary based on changes in the organization or its environment.
  11. Communication: Communicate any changes to documented information to relevant stakeholders. This includes notifying users of new versions, updates, or changes in access permissions.

By following these principles and steps, organizations can establish a robust system for controlling documented information, ensuring its accuracy, integrity, and availability in support of the information security management objectives.

The organization must ensure that the Documented Information is available and suitable for use, where and when it is needed

ensuring that documented information is available and suitable for use when and where it is needed is a key aspect of effective document control and information management. This requirement aligns with ISO 27001’s emphasis on accessibility, usability, and relevance. Here are some essential considerations:

  1. Accessibility:
    • Electronic Access: For electronically stored documented information, implement secure and controlled access mechanisms. This ensures that authorized personnel can retrieve the information as needed.
    • Physical Access: For physical documents, ensure that they are stored in locations that are easily accessible to those who need them. This might involve well-organized filing systems and secure storage areas.
  2. Usability:Ensure that documented information is presented in a format that is clear, understandable, and usable by the intended audience. This may involve considerations such as language, formatting, and the use of visual aids.
  3. Timeliness:Establish procedures to ensure that documented information is made available in a timely manner. This is particularly important for critical documents that need to be accessed promptly for operational or decision-making purposes.
  4. Location and Devices:Consider the diverse locations and devices where personnel may need to access documented information. Ensure compatibility and ease of access across various devices, including computers, tablets, and mobile devices.
  5. Security Measures:While ensuring availability, implement security measures to prevent unauthorized access. This involves access controls, encryption, and other security measures to protect sensitive information.
  6. Training and Awareness:Provide training to personnel on how to access and use documented information effectively. Foster awareness about the importance of using the most current and approved versions.
  7. Communication:Establish clear communication channels to notify relevant personnel about the availability of new or updated documented information. This may involve email notifications, announcements, or other communication methods.
  8. Monitoring and Continuous Improvement:Implement monitoring mechanisms to track the usage and availability of documented information. Use feedback and performance metrics to identify areas for improvement and ensure continuous enhancement.
  9. Backup and Recovery:For electronic documented information, implement robust backup and recovery procedures. This safeguards against data loss due to unforeseen events and ensures the availability of information even in the face of disruptions.
  10. Periodic Reviews:Periodically review the accessibility and usability of documented information. This ensures that the information remains relevant, meets the needs of users, and aligns with any changes in the organization.
  11. Accessibility during Disruptions:Plan for business continuity by ensuring that critical documented information remains accessible during disruptions such as system outages, emergencies, or other unforeseen events.
  12. Audit Trails:Implement audit trails to track who accessed the documented information and when. This provides accountability and supports investigations in case of unauthorized access.
  13. Legal and Regulatory Compliance:Ensure that the availability and use of documented information comply with relevant legal and regulatory requirements. This includes considerations for data protection, privacy, and other compliance obligations.

By addressing these considerations, organizations can meet the requirement of ensuring that documented information is available and suitable for use when and where it is needed, supporting the effective functioning of the Information Security Management System.

The organization must ensure that the Documented Information is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

Protecting documented information is a crucial aspect of information security management, and it aligns with the core principles of ISO 27001. Adequate protection helps safeguard the confidentiality, integrity, and availability of the information. Here are key considerations for ensuring the protection of documented information:

  1. Access Controls:Implement access controls to ensure that only authorized individuals have access to sensitive or confidential documented information. This involves user authentication, authorization, and regular reviews of access permissions.
  2. Encryption:Utilize encryption mechanisms, especially for electronically stored or transmitted documented information. Encryption helps protect information during storage, transit, and when accessed by authorized users.
  3. Physical Security:Implement physical security measures to protect physical copies of documented information. This includes secure storage, restricted access areas, and measures to prevent unauthorized removal or tampering.
  4. User Awareness and Training:Train employees on the importance of information security and their role in protecting documented information. Create awareness about potential risks and best practices for handling sensitive information.
  5. Secure Transmission:Ensure secure transmission of electronic documented information. Use secure communication channels, such as encrypted emails or secure file transfer protocols, to prevent unauthorized interception or tampering.
  6. Backup and Recovery:Implement regular backup procedures to protect against data loss. Ensure that backups are securely stored and that recovery processes are tested to guarantee the availability and integrity of documented information.
  7. Change Control:Establish a robust change control process to manage modifications to documented information. Ensure that changes are authorized, documented, and reviewed to prevent unauthorized alterations that could compromise integrity.
  8. Documented Information Retention:Implement a documented information retention policy. Define how long information needs to be retained, and establish secure processes for the disposal of information that is no longer needed.
  9. Monitoring and Logging:Implement monitoring and logging mechanisms to track access to documented information. Regularly review logs to identify and respond to any suspicious or unauthorized activities.
  10. Anti-Malware Measures:Use anti-malware solutions to protect against malicious software that could compromise the security of documented information. Regularly update and scan systems to ensure protection.
  11. Incident Response Plan:Develop and maintain an incident response plan to address security incidents promptly. This includes procedures for reporting and mitigating incidents that could impact the confidentiality, integrity, or availability of documented information.
  12. Legal and Regulatory Compliance:Ensure that protection measures align with legal and regulatory requirements. This includes compliance with data protection laws, privacy regulations, and any industry-specific mandates.
  13. Supplier and Third-Party Security:If third parties or suppliers have access to documented information, establish and enforce security measures to ensure their compliance with information security requirements.
  14. Secure Disposal:Establish procedures for the secure disposal of physical and electronic media that contain documented information. This prevents unauthorized access to sensitive information after it is no longer needed.
  15. Periodic Security Assessments:Conduct periodic security assessments, including vulnerability assessments and penetration testing, to identify and address potential weaknesses in the protection of documented information.
  16. Continual Improvement:Continuously assess and improve information security measures. Regularly review and update protection mechanisms to address emerging threats and changes in the organization’s risk profile.

By systematically addressing these considerations, organizations can significantly enhance the protection of documented information, ensuring that it remains confidential, integral, and available as required by ISO 27001 and other information security standards.

For the control of documented information, the organization shall address distribution, access, retrieval and use; storage and preservation, including the preservation of legibility; control of changes (e.g. version control); and retention and disposition.

The control of documented information involves managing various aspects throughout its lifecycle. The ISO 27001 standard highlights key elements that organizations should address to ensure effective control. Let’s delve into each component:

  1. Distribution, Access, Retrieval, and Use:
    • Define Access Controls: Clearly outline who has access to specific types of documented information. Establish role-based access controls to ensure that only authorized personnel can retrieve and use certain documents.
    • Secure Distribution Channels: When distributing documented information, use secure channels to prevent unauthorized access during transmission.
  2. Storage and Preservation, Including the Preservation of Legibility:
    • Establish Secure Storage: Determine secure storage locations for both physical and electronic documents. Implement access controls to protect stored information.
    • Preservation of Legibility: Ensure that documents, particularly physical ones, are stored in conditions that preserve their legibility over time. This involves protecting against environmental factors like humidity, light, and temperature.
  3. Control of Changes (e.g., Version Control):
    • Version Control Procedures: Develop and implement version control procedures. Clearly indicate the version number and date on each document. Ensure that only the latest, approved version is in use.
    • Change Control Process: Establish a formal change control process. Changes to documented information should be reviewed, approved, and communicated in a controlled manner to prevent unauthorized or unintended modifications.
  4. Retention and Disposition:
    • Document Retention Policy: Develop a documented information retention policy. Clearly define how long different types of documents need to be retained based on legal, regulatory, or business requirements.
    • Secure Disposal Procedures: Establish secure procedures for the disposal of documents that have reached the end of their retention period. This may involve shredding physical documents or securely deleting electronic files.
  5. Additional Considerations:
    • Backup and Recovery: Implement regular backup procedures to ensure the availability and integrity of documented information. Include provisions for recovery in case of data loss or system failures.
    • Audit Trails:Implement audit trails to track changes to documented information. This helps in monitoring who made changes, what changes were made, and when they occurred.
    • Training and Awareness: Provide training to employees on the proper handling of documented information, including how to access, use, and update documents in compliance with organizational policies.
    • Encryption and Security Measures: Implement encryption and other security measures, especially for electronically stored or transmitted documented information, to protect against unauthorized access.
    • Continuous Improvement:Regularly review and improve control measures. This involves periodic assessments, audits, and feedback mechanisms to identify opportunities for enhancement.

By addressing these aspects, organizations can establish a comprehensive system for the control of documented information, ensuring that it is managed effectively throughout its lifecycle, and aligning with the requirements of ISO 27001. This systematic approach contributes to the overall effectiveness of an organization’s Information Security Management System.

Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled.

When dealing with documented information of external origin, the organization needs to identify, evaluate, and control such information appropriately. This is crucial for the planning and operation of the Information Security Management System (ISMS) and aligns with the requirements of ISO 27001. Here’s how the organization can address this:

  1. Identification of Documented Information of External Origin: Identify and document all sources of external information that are necessary for the planning and operation of the ISMS. This may include legal and regulatory requirements, industry standards, guidelines, and best practices.
  2. Determination of Relevance: Evaluate the relevance and applicability of each piece of documented information from external sources to the organization’s ISMS. Not all externally sourced information may be applicable, so a careful assessment is essential.
  3. Control Mechanisms: Establish control mechanisms for documented information of external origin. This involves implementing processes to ensure that the information is obtained, reviewed, and applied in a consistent and controlled manner.
  4. Access and Distribution Controls: Implement access controls to restrict access to external information to authorized personnel. Ensure that the distribution of this information is controlled to prevent unauthorized dissemination.
  5. Integration with Internal Documentation:Integrate relevant documented information from external sources into the organization’s internal documentation, ensuring that it aligns with the ISMS framework.
  6. Regular Review and Updates: Establish a systematic process for the regular review of external information to ensure that it remains current and applicable. Update internal documentation accordingly based on any changes to external sources.
  7. Legal and Regulatory Compliance: Ensure that the organization remains in compliance with legal and regulatory requirements by staying informed about changes in external regulations and adjusting ISMS processes accordingly.
  8. Risk Assessment:Include the evaluation of risks associated with external information in the organization’s risk assessment processes. This helps in identifying potential vulnerabilities or threats arising from changes in external factors.
  9. Training and Awareness:Provide training to relevant personnel regarding the importance of and procedures for handling documented information of external origin. Foster awareness about the impact of external information on the ISMS.
  10. Documentation Control:Apply the organization’s document control procedures to externally sourced information. This includes version control, change control, and other relevant measures to maintain the integrity and reliability of the information.
  11. Supplier and Third-Party Management: If external information is sourced from suppliers or third parties, ensure that there are effective mechanisms in place for managing these relationships. This includes agreements, audits, and communication channels to address changes in external information.
  12. Continuous Improvement:Regularly assess the effectiveness of processes related to the control of documented information of external origin. Seek opportunities for improvement to enhance the organization’s ability to adapt to changes in the external environment.

By addressing these considerations, organizations can ensure that documented information of external origin is identified, controlled, and integrated effectively into the ISMS, contributing to its overall robustness and adaptability.

Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc.

The concept of access involves granting individuals or entities permission to interact with documented information, and the level of access can vary based on the specific requirements and controls established by the organization. Access control encompasses more than just viewing; it also includes permissions and authority to modify or change the documented information. Here are different levels of access and their implications:

1. View-Only Access:

  • Implication: Users with view-only access can read and review the documented information but do not have the authority to make changes or modifications.
  • Use Case: Appropriate for individuals who need to reference or understand the information but are not responsible for editing or updating it.

2. Read-Write Access:

  • Implication: Users with read-write access have the authority not only to view the documented information but also to make changes, edits, or additions.
  • Use Case: Typically granted to individuals who are actively involved in updating or maintaining the information, such as authors, editors, or designated personnel.

3. No Access:

  • Implication: Users with no access do not have permission to view or interact with the documented information.
  • Use Case: Relevant for information that is highly sensitive or restricted, and access needs to be limited to a specific group or role.

4. Limited Access with Approval:

  • Implication: Users may have restricted access, and any changes or modifications require approval from an authorized individual.
  • Use Case: Suitable for situations where certain changes need oversight or authorization to ensure accuracy, compliance, or adherence to specific processes.

5. Full Control Access:

  • Implication: Users with full control access have the highest level of authority. They can view, edit, delete, and manage permissions for the documented information.
  • Use Case: Typically granted to administrators or individuals responsible for overall management and governance of the information.

6. Version Control Access:

  • Implication: Users with version control access can manage different versions of the documented information, ensuring proper tracking and organization.
  • Use Case: Appropriate for individuals responsible for maintaining version history and ensuring that the latest and approved version is available.

7. Audit Access:

  • Implication: Users with audit access can view logs and records of who accessed the documented information, when, and what changes were made.
  • Use Case: Important for monitoring and maintaining an audit trail, ensuring accountability and compliance.

Key Considerations for Access Control:

  • Role-Based Access Control (RBAC): Assign access permissions based on roles within the organization. Different roles may have different levels of access depending on their responsibilities.
  • Need-to-Know Principle: Grant access based on the principle that individuals should have access to information only if it is necessary for their job responsibilities.
  • Segregation of Duties: Implement controls to ensure that critical tasks are divided among different individuals to prevent conflicts of interest and reduce the risk of errors or misuse.
  • Regular Reviews and Audits: Periodically review and audit access permissions to ensure that they align with current roles and responsibilities and address any changes in personnel or organizational structure.
  • Encryption and Secure Transmission: Implement security measures to protect access credentials, especially for electronic systems, ensuring that unauthorized individuals cannot gain access.

By carefully managing access controls, organizations can strike a balance between providing individuals with the information they need to perform their roles effectively and protecting sensitive or critical information from unauthorized access or modification. Access controls play a crucial role in maintaining the confidentiality, integrity, and availability of documented information within an Information Security Management System (ISMS).

Documented Information Management Procedure for ISMS:

1. Title: Documented Information Management Procedure

2. Purpose:

  • To establish a systematic approach for the creation, review, approval, distribution, access control, version control, and retention of documented information within the ISMS.

3. Scope:

  • This procedure applies to all documented information, both internal and external, relevant to the ISMS.

4. Responsibilities:

  • Information Owner: Responsible for the accuracy and integrity of documented information.
  • Document Owner: Accountable for the creation, review, and approval of specific documents.
  • Change Controller: Responsible for managing changes to documented information.
  • Information Security Officer: Oversees the implementation of this procedure.

5. Procedure:

5.1 Document Creation:
  • Identify the need for new documented information based on ISMS requirements.
  • Assign a Document Owner responsible for creating the document.
  • Use a standardized template for consistency.
5.2 Document Review and Approval:
  • Conduct a review of the document for accuracy, completeness, and relevance.
  • Obtain approval from the designated approver or authority.
  • Record review and approval details.
5.3 Distribution:
  • Determine the appropriate distribution list for the document.
  • Use secure channels for distribution, especially for sensitive information.
  • Maintain a distribution log.
5.4 Access Control:
  • Implement role-based access controls for sensitive documents.
  • Restrict access to authorized personnel only.
  • Document access permissions and regularly review for changes.
5.5 Version Control:
  • Assign a version number and date to each document.
  • Clearly indicate the status (draft, under review, approved) of the document.
  • Implement a change control process for modifications.
5.6 Retention and Disposition:
  • Develop a retention schedule based on legal, regulatory, and business requirements.
  • Dispose of obsolete documents securely, following the organization’s disposal procedures.
  • Maintain records of document disposition.
5.7 Documented Information of External Origin:
  • Identify relevant documented information from external sources necessary for the ISMS.
  • Establish procedures for obtaining, reviewing, and integrating external information.
5.8 Training and Awareness:
  • Provide training to personnel on the importance of document control.
  • Foster awareness regarding the impact of documented information on information security.

6. Monitoring and Review:

  • Conduct periodic audits of the documented information management process.
  • Review access logs, version histories, and retention records.
  • Identify opportunities for improvement.

7. Documentation:

  • Maintain records of document creation, review, approval, distribution, access control, and changes.
  • Ensure that documented information is easily accessible for audits and reviews.

8. Continuous Improvement:

  • Periodically review and update this procedure based on lessons learned and changes in the organization’s context.
  • Seek feedback from users to enhance the effectiveness of the documented information management process.

For list of documents and records click here

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply