ISO 27001 Clause 7.5.3 Control of Documented Information – Ultimate Certification Guide

Home / ISO 27001 Clauses / ISO 27001 Clause 7.5.3 Control of Documented Information – Ultimate Certification Guide

Introduction

In this ultimate guide to ISO 27001 Clause 7.5.3 Control of Documented Information you will learn

  • What is ISO 27001 Clause 7.5.3 
  • How to implement ISO 27001 Clause 7.5.3

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

Watch the Tutorial

Watch How To Implement ISO 27001 Clause 7.5.3 Control of Documented Information

What is ISO 27001 Clause 7.5.3 ?

The ISO 27001 standard requires that documentation is controlled appropriately. It wants an organisation to document the information security management system, that the documentation is marked up with document markup and that documents are reviewed and approved. It then wants to ensure that those documented are controlled.

ISO 27001 very much works on the premise that if it is not written down then it does not exist. Often the ISO 27001 certification is about the minutia of documentation rather than whether you are actually secure.

ISO 27001 Clause 7.5.3 Control of Documented Information is about ensuring that documents are available as needed are that they are appropriately protected.

The ISO 27001 standard for ISO 27001 certification wants you to document pretty much everything and this approach, and how you do it, is very much in line with ISO 9001. It is one of the ISO 27001 controls.

DO IT YOURSELF

ISO 27001

ISO 27001 Toolkit Business Edition

ISO 27001 Clause 7.5.3 Definition

The ISO 27001 Standard defines clause 7.5.3 as:

Documented information required by the information security management system and by this International Standard shall be controlled to ensure:

a) it is available and suitable for use, where and when it is needed; and

b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

“For the control of documented information, the organisation shall address the following activities, as applicable:

c) distribution, access, retrieval and use;”

d) storage and preservation, including the preservation of legibility;

e) control of changes (e.g. version control); and

f ) retention and disposition.

ISO 27001 Clause 7.5.3 Control of Documented Information

What are the ISO 27001:2022 Changes to Clause 7.5.3?

Great news. There are no changes to ISO 27001 Clause 7.5.3 in the 2022 update. Where reference was made to the ‘International Standard’ in reference to the document it has been replaced with the word ‘document’.

ISO 27001 Clause 7.5.3 Implementation Guide 

There are many ways to document your information security management system.

Some are more efficient and proven than others.

Our ISO 27001 toolkit has been built over 20 years and is used globally by thousands of businesses who want to save vast amounts of time and money.

You may be considering an Information Security Management System online solution. These software solutions can be a great help to information security managers in larger organisations but they come at a massive cost.

Which ever route you go .. document everything. Make sure it is marked up appropriately. Ensure the correct access is in place and ensure you have backups.

How to comply with ISO 27001 Clause 7.5.3 

Time needed: 1 day

How to comply with ISO 27001 Clause 7.5.3 Control of Documented Information

  1. Ensure your documents are classified

    The classification of documents is very important and covered under other clauses within the standard but now is a good time to provide a place holder for the document classification. This will be used to apply the appropriate level of controls to the document. You control documents in line with your Information Classification and Handling Policy and your Information Classification Matrix.

  2. Ensure your documents have a version control table

    Version control is very important in a document to show the history of that document. Include a version control table in your document template that has columns for the date of the change, how made the change, what change they made and the version number of the document. Include rows in the template as place holders that can be completed.

  3. Ensure access to your documents is based on role and need

    Documents that are for company wide distribution, such as ISO 27001 Policies, should be placed in an area accessible to all staff. Your working papers and confidential documents should have access restricted based on role and who needs that access.

  4. Ensure you have a data retention policy in place

    Have a data retention policy in place and the associated processes that cover how long you keep documents and how you destroy them.

  5. Backups should be in place

    Secure backups of documents should be in place with a backup frequency decided based on the frequency of changes, the needs of the business and the business risks.

  6. Before you get audited

    Check, double check and recheck your documentation before you get audited. The documentation is the primary thing that you will be audited on. Make sure all your version controls are up to date, documents are clean of comments and review mark up, that they have appropriate approvals, appropriate document markup. Ensure that the version control has been touched at least once in the last 12 months before the audit happens. Make sure you can evidence all of the reviews and approvals, that the backups have happened and make sure to check who has access to what. Access control and having old employees or the wrong employees able to access documents is a regular top 5 miss for companies and an easy win for the auditor.

Stuart - High Table - ISO27001 Ninja - 3

How do you demonstrate compliance to ISO 27001 clause 7.5.3?

You demonstrate compliance to ISO 27001 clause 7.5.3 by having a documented information security management system, documented policies and document records of the effective operation of your processes. This will show you comply with ISO 27001 clause 7.5.3.

But only if those documents include the document mark up required and you can evidence the documents were reviewed and approved.

You need the appropriate document mark up and you need to ensure that they are updated at least within the last 12 months.

You need to ensure access is in place based on role and need. Backups must be in place and evidenced.

ISO 27001 Clause 7.5.3 Templates

ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 7.5.3

ISO27001 Documents and Records Policy-Black
ISO 27001 Toolkit Business Edition

ISO 27001 Clause 7.5.3 FAQ

What is ISO 27001 Clause 7.5.3 Control of Documented Information?

The ISO 27001 standard requires that documents are controlled to ensure they are available to those that need them and that they are protected.

How do I evidence I meet the requirement of ISO 27001 Clause 7.5.3 Control of Documented Information?

You evidence compliance to the ISO 27001 Clause 7.5.3 by restricting access to documents based on role and need, ensuring documents that need to be available to people are available and the you have controls in place to protect those documents including backing them up.

Where can I download ISO 27001 Clause 7.5.3 Control of Documented Information templates?

You can download ISO 27001 7.5.3 templates in the ISO 27001 Toolkit.

ISO 27001 Clause 7.5.3 Control of Documented Information example?

An example of ISO 27001 Clause 7.5.3 can be found in the ISO 27001 Toolkit.

Download a copy of an ISO 27001 documentation templates toolkit?

The ISO 27001 documentation templates toolkit can be downloaded in the ISO 27001 Toolkit.

How often should I backup the information security management system documents?

This will depend on the needs of the business and the business risk appetite but for me a daily, weekly and monthly backup is adequate.

Who should have access to ISO 27001 Policies?

Access to the ISO 27001 policies should be given to anyone that works for your organisation and part of a structured training and communication plan.

ISO 27001 Toolkit Business Edition

Do It Yourself ISO 27001

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing