Home / ISO 27001 Templates / ISO 27001 Document and Record Policy Explained + Template

ISO 27001 Document and Record Policy Explained + Template

Last updated Sep 25, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

An ISO 27001 Document and Record Policy is your company’s simple rulebook for handling important paperwork and digital files. Think of it as a guide to help you keep things organized, up-to-date, and safe. It’s all about making sure you know where your documents are, what they say, and who can see them.

What is it?

This policy is a set of guidelines that tells you and your team how to manage all your important documents and records. It covers everything from creating and approving documents to storing, updating, and getting rid of them. The goal is to make sure your information is accurate, available when you need it, and secure.

Applicability to Small Businesses, Tech Startups, and AI Companies

This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.

  • Small Businesses: It helps you formalise how you handle important paperwork like client contracts and financial records.
  • Tech Startups: It’s crucial for managing code documentation, project plans, and customer data.
  • AI Companies: It’s essential for documenting your AI models, data sets, and ensuring responsible data handling.

ISO 27001 Document and Record Policy Template

The ISO 27001:2022 Documents and Records Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.

ISO 27001 Documents and Records Policy Template

Why you need it

You need this policy to keep your information security management system (ISMS) in great shape. It helps you stay organized and proves to auditors that you’re serious about protecting your information. It also prevents mix-ups and makes sure everyone is on the same page about how to handle sensitive information.

When you need it

You need this policy as soon as you start building your information security system. It should be one of the first things you create because it lays the groundwork for all your other security documents. You’ll use it every time you create a new security document, like a password policy or an incident response plan.

Who needs it?

Everyone in your company who creates, uses, or stores documents and records needs to follow this policy. This includes managers, IT staff, and even a part-time intern. It’s a team effort! The person in charge of your ISMS will usually be the one who writes and maintains it.

Where you need it

This policy applies everywhere your documents and records are—whether they’re on a shared drive, in a physical filing cabinet, or in the cloud. It doesn’t matter if your team works in an office or from their home; the rules are the same.

How to write it

Time needed: 1 hour and 30 minutes

How to write an ISO 27001 Document and Record Policy

  1. Create your version control and document mark-up

    ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.

  2. Write the ISO 27001 Document and Record Policy contents page

    Document Contents Page
    Documents and Records Policy
    Purpose
    Scope
    Principle
    Creating and Updating
    Availability of documents
    Document Storage
    Version Control and Approval
    Policy documents
    Operational Documents and Records
    Example of Records
    Preservation of legibility
    Obsolete documents and records
    Documents of External Origin
    Document Classification

  3. Write the ISO 27001 Document and Record Policy purpose

    The purpose of this policy is the control of documents and records in the information security management system.

  4. Write the ISO 27001 Document and Record Policy principle

    Documents required for the information security management system are controlled, managed and available.

  5. Write the ISO 27001 Document and Record Policy scope

    The documented information security management system.
    Documented information required by ISO 27001.
    Documented information determined by the company as being necessary for the effectiveness of the Information Security Management System.
    All employees and third-party users.

  6. Describe the requirements when creating and updating documentation

    When creating and updating documented information, the company ensure appropriate
    – identification and description (e.g., a title, date, author, or reference number),
    – format (e.g., language, software version, graphics) and media (e.g., paper, electronic), and review and approval for suitability and adequacy.

  7. Explain the approach to availability of documents

    The latest approved version of document is presented to the appropriate users and are available and suitable for use, where and when it is needed.

  8. Document the document storage controls

    Documents are stored in the document management technology implemented at the company.
    Working documents for the information security management system are stored in the information security project / team folder.
    Live documents and records are held within the relevant departments folder in a secure environment.
    All stored documents are subject to access controls and adhere to the access control policy.
    Documents and records are available to those that require them for their role.

  9. Describe the process of version control and approval

    Policy documents
    Policy documents are subject to change as a result of the continual improvement process.
    Changes to policy documents are done by the information security management team.
    Policy documents are approved by the Management Review Team.
    Policy documentation version control history is maintained which captures as a minimum the author, the date, the change, the new version number.
    Policy version controls follows an x.y numbering system where x is the release and y is the iteration. The release number is updated periodically as part of a periodic review for all policies and the policies issued as a release set.
    Operational Documents and Records
    Operational documents and records are updated by the document and / or process owner as part of day-to-day operations and as required.
    Changes to operational documents and records are done by the process owner.
    Operational documentation version control history is maintained which captures as a minimum the author, the date, the change, the new version number.
    Records may have version control history which is maintained which may capture as a minimum the author, the date, the change, the new version number.

  10. Provide examples of records

    Records are evidence of an event and used for operational management and auditing. They include but are not limited to
    – Meeting minutes
    – Training records
    – Audit Reports
    – Incident Reports

  11. Explain preservation of legibility

    Documents are created and available in electronic format using standard, supported office applications or in native operational systems.

  12. Describe the controls for obsolete documents and records

    Obsolete documents and records required for audit and/or legal and regulatory purposes are archived in line with the data retention policy and removed from general accessibility.
    Obsolete documents and records that are not required for audit and/or legal and regulatory purposes are deleted in line the data retention policy.

  13. Set out the controls for documents of external origin

    Documented information of external origin determined by the company to be necessary for the planning and operation of the Information Security Management System are identified, as appropriate, and controlled.

  14. Explain the approach to document classification

    Documents are classified in line with the Information Classification and Handling policy.

Writing the policy should be easy and straightforward. Start with an introduction that explains its purpose. Then, create sections for how to create, review, approve, distribute, store, and get rid of documents. Use simple language and avoid jargon so everyone can understand it.

How to implement it

To put the policy into action, you’ll first share it with everyone in the company. You can hold a short training session to explain the key points. Then, you’ll set up a system for managing your documents, like using a specific folder structure on your shared drive. Finally, you’ll regularly check to make sure everyone is following the rules.

Examples of using it for small businesses

If you’re a small marketing firm, your policy might say that all client contracts must be stored in a special, password-protected folder and deleted after seven years. It might also require a manager to approve all new security policies before they are shared.

Examples of using it for tech startups

For a startup, this policy could specify that all code documentation must be kept in a specific online repository, with a rule that two team members must review any changes before they are saved. It could also outline how to handle customer feedback forms and support tickets to protect user privacy.

Examples of using it for AI companies

If you’re an AI company, your policy would be even more important. It might include rules for how you handle the data used to train your AI models, ensuring that sensitive information is properly anonymized and stored securely. It would also specify how to document and track changes to your AI’s algorithms.

How the ISO 27001 toolkit can help

An ISO 27001 toolkit is a great shortcut. It often includes pre-written policies, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.

ISO 27001 Toolkit

Information security standards that need it

This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • DORA (Digital Operational Resilience Act)
  • NIS2 (Network and Information Security (NIS) Directive) 
  • SOC 2 (Service Organisation Control 2)
  • NIST (National Institute of Standards and Technology) 
  • HIPAA (Health Insurance Portability and Accountability Act)

List of relevant ISO 27001:2022 controls

The ISO 27001:2022 standard has a specific controls just for this topic:

ISO 27001 Document and Record Policy Example

An example ISO 27001:2022 Document and Record Policy:

ISO 27001 Document and Record Policy FAQ

What’s the main goal of this policy? 

To keep your documents and records organized, safe, and up-to-date.

Is this policy only for paper documents?

 No, it’s for both physical and digital files.

Who is responsible for the policy?

The person in charge of your ISMS, but everyone must follow it.

How often should we update our policy? 

You should review it at least once a year.

Is this policy a one-time project? 

No, it’s a living document that you should continually use and update.

Does this policy cover emails?

Yes, emails are considered records, so they should be managed according to the policy.

What’s a record? 

A record is a document that provides proof of an activity or event.

How long should we keep our documents?

The policy should specify a retention period based on legal and business requirements.

Do we need a separate policy for each document type?

No, this single policy can cover all your documents and records.

What if a team member leaves the company?

The policy should explain how to manage their documents and records when they leave.

How does this help with compliance? 

It provides clear evidence that you are managing your information correctly, which is crucial for audits.

Is this policy mandatory for ISO 27001? 

Yes, a documented process for managing information is required.

What’s the first step to creating our policy? 

Find a good template and decide who will be in charge of it.

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.