An ISO 27001 Document and Record Policy is your company’s simple rulebook for handling important paperwork and digital files. Think of it as a guide to help you keep things organized, up-to-date, and safe. It’s all about making sure you know where your documents are, what they say, and who can see them.
Table of contents
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Document and Record Policy Template
- Why you need it
- When you need it
- Who needs it?
- Where you need it
- How to write it
- How to implement it
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 toolkit can help
- Information security standards that need it
- List of relevant ISO 27001:2022 controls
- ISO 27001 Document and Record Policy Example
- ISO 27001 Document and Record Policy FAQ
What is it?
This policy is a set of guidelines that tells you and your team how to manage all your important documents and records. It covers everything from creating and approving documents to storing, updating, and getting rid of them. The goal is to make sure your information is accurate, available when you need it, and secure.
Applicability to Small Businesses, Tech Startups, and AI Companies
This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.
- Small Businesses: It helps you formalise how you handle important paperwork like client contracts and financial records.
- Tech Startups: It’s crucial for managing code documentation, project plans, and customer data.
- AI Companies: It’s essential for documenting your AI models, data sets, and ensuring responsible data handling.
ISO 27001 Document and Record Policy Template
The ISO 27001:2022 Documents and Records Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
Why you need it
You need this policy to keep your information security management system (ISMS) in great shape. It helps you stay organized and proves to auditors that you’re serious about protecting your information. It also prevents mix-ups and makes sure everyone is on the same page about how to handle sensitive information.
When you need it
You need this policy as soon as you start building your information security system. It should be one of the first things you create because it lays the groundwork for all your other security documents. You’ll use it every time you create a new security document, like a password policy or an incident response plan.
Who needs it?
Everyone in your company who creates, uses, or stores documents and records needs to follow this policy. This includes managers, IT staff, and even a part-time intern. It’s a team effort! The person in charge of your ISMS will usually be the one who writes and maintains it.
Where you need it
This policy applies everywhere your documents and records are—whether they’re on a shared drive, in a physical filing cabinet, or in the cloud. It doesn’t matter if your team works in an office or from their home; the rules are the same.
How to write it
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 Document and Record Policy
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the ISO 27001 Document and Record Policy contents page
Document Contents Page
Documents and Records Policy
Purpose
Scope
Principle
Creating and Updating
Availability of documents
Document Storage
Version Control and Approval
Policy documents
Operational Documents and Records
Example of Records
Preservation of legibility
Obsolete documents and records
Documents of External Origin
Document Classification - Write the ISO 27001 Document and Record Policy purpose
The purpose of this policy is the control of documents and records in the information security management system.
- Write the ISO 27001 Document and Record Policy principle
Documents required for the information security management system are controlled, managed and available.
- Write the ISO 27001 Document and Record Policy scope
The documented information security management system.
Documented information required by ISO 27001.
Documented information determined by the company as being necessary for the effectiveness of the Information Security Management System.
All employees and third-party users. - Describe the requirements when creating and updating documentation
When creating and updating documented information, the company ensure appropriate
– identification and description (e.g., a title, date, author, or reference number),
– format (e.g., language, software version, graphics) and media (e.g., paper, electronic), and review and approval for suitability and adequacy. - Explain the approach to availability of documents
The latest approved version of document is presented to the appropriate users and are available and suitable for use, where and when it is needed.
- Document the document storage controls
Documents are stored in the document management technology implemented at the company.
Working documents for the information security management system are stored in the information security project / team folder.
Live documents and records are held within the relevant departments folder in a secure environment.
All stored documents are subject to access controls and adhere to the access control policy.
Documents and records are available to those that require them for their role. - Describe the process of version control and approval
Policy documents
Policy documents are subject to change as a result of the continual improvement process.
Changes to policy documents are done by the information security management team.
Policy documents are approved by the Management Review Team.
Policy documentation version control history is maintained which captures as a minimum the author, the date, the change, the new version number.
Policy version controls follows an x.y numbering system where x is the release and y is the iteration. The release number is updated periodically as part of a periodic review for all policies and the policies issued as a release set.
Operational Documents and Records
Operational documents and records are updated by the document and / or process owner as part of day-to-day operations and as required.
Changes to operational documents and records are done by the process owner.
Operational documentation version control history is maintained which captures as a minimum the author, the date, the change, the new version number.
Records may have version control history which is maintained which may capture as a minimum the author, the date, the change, the new version number. - Provide examples of records
Records are evidence of an event and used for operational management and auditing. They include but are not limited to
– Meeting minutes
– Training records
– Audit Reports
– Incident Reports - Explain preservation of legibility
Documents are created and available in electronic format using standard, supported office applications or in native operational systems.
- Describe the controls for obsolete documents and records
Obsolete documents and records required for audit and/or legal and regulatory purposes are archived in line with the data retention policy and removed from general accessibility.
Obsolete documents and records that are not required for audit and/or legal and regulatory purposes are deleted in line the data retention policy. - Set out the controls for documents of external origin
Documented information of external origin determined by the company to be necessary for the planning and operation of the Information Security Management System are identified, as appropriate, and controlled.
- Explain the approach to document classification
Documents are classified in line with the Information Classification and Handling policy.
Writing the policy should be easy and straightforward. Start with an introduction that explains its purpose. Then, create sections for how to create, review, approve, distribute, store, and get rid of documents. Use simple language and avoid jargon so everyone can understand it.
How to implement it
To put the policy into action, you’ll first share it with everyone in the company. You can hold a short training session to explain the key points. Then, you’ll set up a system for managing your documents, like using a specific folder structure on your shared drive. Finally, you’ll regularly check to make sure everyone is following the rules.
Examples of using it for small businesses
If you’re a small marketing firm, your policy might say that all client contracts must be stored in a special, password-protected folder and deleted after seven years. It might also require a manager to approve all new security policies before they are shared.
Examples of using it for tech startups
For a startup, this policy could specify that all code documentation must be kept in a specific online repository, with a rule that two team members must review any changes before they are saved. It could also outline how to handle customer feedback forms and support tickets to protect user privacy.
Examples of using it for AI companies
If you’re an AI company, your policy would be even more important. It might include rules for how you handle the data used to train your AI models, ensuring that sensitive information is properly anonymized and stored securely. It would also specify how to document and track changes to your AI’s algorithms.
How the ISO 27001 toolkit can help
An ISO 27001 toolkit is a great shortcut. It often includes pre-written policies, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.
Information security standards that need it
This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
List of relevant ISO 27001:2022 controls
The ISO 27001:2022 standard has a specific controls just for this topic:
- ISO 27001:2022 Clause 7.5.1 Documented Information
- ISO 27001:2022 Clause 7.5.2 Creating and Updating Documented Information
- ISO 27001:2022 Clause 7.5.3 Control of Documented Information
ISO 27001 Document and Record Policy Example
An example ISO 27001:2022 Document and Record Policy:
ISO 27001 Document and Record Policy FAQ
To keep your documents and records organized, safe, and up-to-date.
No, it’s for both physical and digital files.
The person in charge of your ISMS, but everyone must follow it.
You should review it at least once a year.
No, it’s a living document that you should continually use and update.
Yes, emails are considered records, so they should be managed according to the policy.
A record is a document that provides proof of an activity or event.
The policy should specify a retention period based on legal and business requirements.
No, this single policy can cover all your documents and records.
The policy should explain how to manage their documents and records when they leave.
It provides clear evidence that you are managing your information correctly, which is crucial for audits.
Yes, a documented process for managing information is required.
Find a good template and decide who will be in charge of it.