ISO 27001 Clause 7.5.3 Control of Documented Information

ISO 27001 Control of Documented Information

ISO 27001 mandates the control of documented information. Organisations must document their ISMS, utilise a consistent document markup system, and implement a process for document review and approval. Furthermore, the standard requires ongoing control of these documents.

What is ISO 27001 Clause 7.5.3 ?

ISO 27001 Clause 7.5.3, Control of Documented Information, addresses the management and protection of required documentation. Similar in approach to ISO 9001, ISO 27001 emphasises documenting nearly all aspects of the information security management system (ISMS). This control is a core component of the standard.

The underlying principle of ISO 27001 is that undocumented processes or procedures are effectively non-existent. While certification often focuses on the meticulousness of documentation, the ultimate goal should be demonstrable security, not merely the presence of paperwork.

Definition

ISO 27001 defines ISO 27001 clause 7.5.3 as:

Documented information required by the information security management system and by this International Standard shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed; and
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
“For the control of documented information, the organisation shall address the following activities, as applicable:
c) distribution, access, retrieval and use;”
d) storage and preservation, including the preservation of legibility;
e) control of changes (e.g. version control); and
f ) retention and disposition.

ISO 27001:2022 Clause 7.5.3 Control of Documented Information

Implementation Guide

There are many ways to document your information security management system.

Some are more efficient and proven than others.

Our ISO 27001 toolkit has been built over 20 years and is used globally by thousands of businesses who want to save vast amounts of time and money.

You may be considering an Information Security Management System online solution. These software solutions can be a great help to information security managers in larger organisations but they come at a massive cost.

Which ever route you go .. document everything. Make sure it is marked up appropriately. Ensure the correct access is in place and ensure you have backups.

Ensure your documents are classified

The classification of documents is very important and covered under other clauses within the standard but now is a good time to provide a place holder for the document classification. This will be used to apply the appropriate level of controls to the document. You control documents in line with your Information Classification and Handling Policy and your Information Classification Matrix.

Ensure your documents have a version control table

Version control is very important in a document to show the history of that document. Include a version control table in your document template that has columns for the date of the change, how made the change, what change they made and the version number of the document. Include rows in the template as place holders that can be completed.

Ensure access to your documents is based on role and need

Documents that are for company wide distribution, such as ISO 27001 Policies, should be placed in an area accessible to all staff. Your working papers and confidential documents should have access restricted based on role and who needs that access.

Ensure you have a data retention policy in place

Have a data retention policy in place and the associated processes that cover how long you keep documents and how you destroy them.

Backups should be in place

Secure backups of documents should be in place with a backup frequency decided based on the frequency of changes, the needs of the business and the business risks.

Before you get audited

Check, double check and recheck your documentation before you get audited. The documentation is the primary thing that you will be audited on. Make sure all your version controls are up to date, documents are clean of comments and review mark up, that they have appropriate approvals, appropriate document markup. Ensure that the version control has been touched at least once in the last 12 months before the audit happens. Make sure you can evidence all of the reviews and approvals, that the backups have happened and make sure to check who has access to what. Access control and having old employees or the wrong employees able to access documents is a regular top 5 miss for companies and an easy win for the auditor.

Watch the Tutorial

Watch How To Implement ISO 27001 Clause 7.5.3 Control of Documented Information

How do you demonstrate compliance to ISO 27001 clause 7.5.3?

You demonstrate compliance to ISO 27001 clause 7.5.3 by having a documented information security management system, documented policies and document records of the effective operation of your processes. This will show you comply with ISO 27001 clause 7.5.3.

But only if those documents include the document mark up required and you can evidence the documents were reviewed and approved.

You need the appropriate document mark up and you need to ensure that they are updated at least within the last 12 months.

You need to ensure access is in place based on role and need. Backups must be in place and evidenced.

ISO 27001 Templates

ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.

These individual templates help meet the specific requirements of ISO 27001 clause 7.5.3

What are the ISO 27001:2022 Changes to Clause 7.5.3?

Great news. There are no changes to ISO 27001 Clause 7.5.3 in the 2022 update. Where reference was made to the ‘International Standard’ in reference to the document it has been replaced with the word ‘document’.

FAQ