Documented Information is the mandatory requirement under ISO 27001 Clause 7.5 ensuring that an organisation’s ISMS policies, procedures, and records are maintained with technical integrity. The Primary Implementation Requirement involves establishing formal version control and IAM roles, delivering the Business Benefit of citable audit evidence and consistent operational security.
What is Documented Information?
Any information that an organisation needs to keep and control. It can be a paper document, an email, or a digital file. This information is key to showing that a business is following its rules and plans.
Examples
- Policy: A company’s rulebook for using computers and the internet.
- Procedure: A step-by-step guide on how to handle a customer’s personal data.
- Record: A log of who accessed a secure server and when they did it.
Context
This term is central to ISO 27001. It means all the formal information you need to run your information security management system (ISMS). Documented information proves that you have plans, that you are following them, and that you are keeping records of your actions. It’s the proof that your security system is working as it should.
How to implement Documented Information
1. Provision a Documented Information Index
- Provision a centralised master list of all ISMS documents: Identify 100 per cent of your policies, procedures, and records, resulting in a single source of truth for tracking version history and ownership.
2. Formalise Naming and Formatting Standards
- Formalise a tiered identification scheme: Define specific metadata requirements, such as title, date, and author, resulting in a consistent documentation framework that ensures rapid retrieval during internal and external audits.
3. Document the Rules of Engagement (ROE) for Review
- Document the Rules of Engagement for document creation and updates: Establish strict protocols for how information is drafted and vetted, resulting in authorised technical conduct that maintains the accuracy of security guidance.
4. Provision Identity and Access Management (IAM) Roles
- Provision granular IAM roles for the document repository: Map user permissions based on the principle of least privilege, resulting in the technical prevention of unauthorised modification or disclosure of sensitive ISMS data.
5. Enforce Multi-Factor Authentication (MFA) for Document Access
- Enforce MFA for 100 per cent of access to the document management system: Mandate strong authentication at the system boundary, resulting in a robust technical barrier against credential-based documentation breaches.
6. Formalise the Approval and Release Workflow
- Formalise a documented approval process for all ISMS changes: Assign specific management roles to sign off on new versions, resulting in technical accountability and ensuring only the most current guidance is available to staff.
7. Provision Technical Version Control Mechanisms
- Provision automated version tracking within your document tool: Identify and archive 100 per cent of superseded documents, resulting in the elimination of “document drift” and the accidental use of obsolete security protocols.
8. Audit Document Distribution and Availability
- Audit the availability of documented information to technical staff: Reconcile access logs against the Information Asset Register, resulting in proof that the right people have the right information when performing security functions.
9. Revoke Access to Obsolete Records
- Revoke access and securely sunset redundant information: Execute automated retention policies based on legal and regulatory requirements, resulting in a reduced organisational attack surface and minimised storage liability.
10. Audit the ISMS Documentation Framework Regularly
- Audit the effectiveness of documentation controls via internal assessments: Execute regular spot checks on document integrity and storage security, resulting in a documented corrective action plan that satisfies ISO 27001 Clause 10 requirements.
Documented Information FAQ
What is documented information in the context of ISO 27001?
Documented information is the mandatory requirement under ISO 27001 Clause 7.5 that ensures an organisation’s Information Security Management System (ISMS) contains 100% of the policies, procedures, and records required for security effectiveness. It serves as the technical evidence for Lead Auditors that security controls are consistently implemented, monitored, and improved across the business.
What are the mandatory documents required for ISO 27001 certification?
To achieve 100% compliance, organisations must maintain specific documented information including:
- Scope of the ISMS: Defining 100% of physical and logical boundaries.
- Information Security Policy: High-level management mandates.
- Risk Assessment Process: Technical methodology for identifying threats.
- Statement of Applicability (SoA): Detailed list of selected Annex A controls.
- Evidence of Competence: Training records for 100% of staff with security roles.
How does an organisation control documented information?
Organisations control documented information by implementing a formal technical lifecycle that ensures 100% availability and protection. This involves provisioning unique identification, version control, and granular access permissions. Statistics show that organisations using automated document management systems reduce audit non-conformities by 45% compared to those using manual file shares.
What are the retention requirements for ISO 27001 records?
Retention requirements for ISO 27001 records are typically determined by legal, regulatory, and business needs, often spanning 3 to 7 years. For technical evidence like access logs or audit reports, 100% of records must remain readable and secure for the duration of their lifecycle to satisfy UK GDPR and Clause 7.5.3 compliance mandates.
What is the difference between a document and a record?
In ISO 27001 terminology, a document is live guidance (like a policy) that can be changed, whereas a record is evidence of a past event (like an audit report) that must remain immutable. Both are classified as documented information, but records require 100% integrity protection to prevent unauthorised modification during the audit trail lifecycle.
Relevant ISO 27001 Controls
| Related ISO 27001 Control / Clause | Relationship Description |
|---|---|
| ISO 27001 Clause 7.5.1: General Documented Information | Core Requirement: This clause mandates that the organization’s ISMS must include documented information required by the standard and any information the organization deems necessary for effectiveness. |
| ISO 27001 Clause 7.5.2: Creating and Updating | Process Control: Focuses on ensuring that documented information is properly identified, formatted, and reviewed for suitability and adequacy before release. |
| ISO 27001 Clause 7.5.3: Control of Documented Information | Governance Rule: Sets strict rules for how documentation is stored, protected, distributed, retrieved, and eventually disposed of to ensure its integrity and confidentiality. |
| Glossary: ISMS | System Framework: Documented information provides the formal evidence and “proof” that the Information Security Management System is implemented and operating effectively. |
| Glossary: Audit | Evidence Base: Documented information (records, logs, and policies) serves as the primary evidence source for auditors to verify compliance during an ISO 27001 audit. |
| Glossary: Integrity | Technical Goal: A key objective of controlling documented information is to ensure its “Integrity,” meaning it remains accurate, complete, and protected against unauthorized changes. |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where Documented Information is categorized as a fundamental administrative and governance term. |
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
