ISO 27001 Document and Record Policy
In this guide, you will learn what an ISO 27001 Document and Record Policy is, how to write it yourself and I give you a template you can download and use right away.
Table of contents
What is an ISO 27001 Document and Record Policy?
The ISO 27001 Document and Record Policy sets out how you manage documentation. Based on the principles of a quality management system and aligned with ISO 9001 it ensures consistent, protected and quality documentation.
It is one of theย ISO 27001 policiesย required by theย ISO 27001ย standard forย ISO 27001 certification.
How to write an ISO 27001 Document and Record Policy
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 Document and Record Policy
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the ISO 27001 Document and Record Policy contents page
Document Contents Page
Documents and Records Policy
Purpose
Scope
Principle
Creating and Updating
Availability of documents
Document Storage
Version Control and Approval
Policy documents
Operational Documents and Records
Example of Records
Preservation of legibility
Obsolete documents and records
Documents of External Origin
Document Classification - Write the ISO 27001 Document and Record Policy purpose
The purpose of this policy is the control of documents and records in the information security management system.
- Write the ISO 27001 Document and Record Policy principle
Documents required for the information security management system are controlled, managed and available.
- Write the ISO 27001 Document and Record Policy scope
The documented information security management system.
Documented information required by ISO 27001.
Documented information determined by the company as being necessary for the effectiveness of the Information Security Management System.
All employees and third-party users. - Describe the requirements when creating and updating documentation
When creating and updating documented information, the company ensure appropriate
– identification and description (e.g., a title, date, author, or reference number),
– format (e.g., language, software version, graphics) and media (e.g., paper, electronic), and review and approval for suitability and adequacy. - Explain the approach to availability of documents
The latest approved version of document is presented to the appropriate users and are available and suitable for use, where and when it is needed.
- Document the document storage controls
Documents are stored in the document management technology implemented at the company.
Working documents for the information security management system are stored in the information security project / team folder.
Live documents and records are held within the relevant departments folder in a secure environment.
All stored documents are subject to access controls and adhere to the access control policy.
Documents and records are available to those that require them for their role. - Describe the process of version control and approval
Policy documents
Policy documents are subject to change as a result of the continual improvement process.
Changes to policy documents are done by the information security management team.
Policy documents are approved by the Management Review Team.
Policy documentation version control history is maintained which captures as a minimum the author, the date, the change, the new version number.
Policy version controls follows an x.y numbering system where x is the release and y is the iteration. The release number is updated periodically as part of a periodic review for all policies and the policies issued as a release set.
Operational Documents and Records
Operational documents and records are updated by the document and / or process owner as part of day-to-day operations and as required.
Changes to operational documents and records are done by the process owner.
Operational documentation version control history is maintained which captures as a minimum the author, the date, the change, the new version number.
Records may have version control history which is maintained which may capture as a minimum the author, the date, the change, the new version number. - Provide examples of records
Records are evidence of an event and used for operational management and auditing. They include but are not limited to
– Meeting minutes
– Training records
– Audit Reports
– Incident Reports - Explain preservation of legibility
Documents are created and available in electronic format using standard, supported office applications or in native operational systems.
- Describe the controls for obsolete documents and records
Obsolete documents and records required for audit and/or legal and regulatory purposes are archived in line with the data retention policy and removed from general accessibility.
Obsolete documents and records that are not required for audit and/or legal and regulatory purposes are deleted in line the data retention policy. - Set out the controls for documents of external origin
Documented information of external origin determined by the company to be necessary for the planning and operation of the Information Security Management System are identified, as appropriate, and controlled.
- Explain the approach to document classification
Documents are classified in line with the Information Classification and Handling policy.
ISO 27001 Document and Record Policy Template
Theย ISO 27001 Documents and Records Policy Templateย is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in theย ISO 27001 toolkit.
ISO 27001 Document and Record Policy Example
An example ISO 27001 Document and Record Policy:
Further Reading
ISO 27001 Documents and Records Policy Template
ISO 27001 Clause 7.5.1 Documented Information
ISO 27001 Clause 7.5.2 Creating and Updating Documented Information