Any information that an organisation needs to keep and control. It can be a paper document, an email, or a digital file. This information is key to showing that a business is following its rules and plans.
Examples
- Policy: A company’s rulebook for using computers and the internet.
- Procedure: A step-by-step guide on how to handle a customer’s personal data.
- Record: A log of who accessed a secure server and when they did it.
Context
This term is central to ISO 27001. It means all the formal information you need to run your information security management system (ISMS). Documented information proves that you have plans, that you are following them, and that you are keeping records of your actions. It’s the proof that your security system is working as it should.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to documented information:
- ISO 27001:2022 Clause 7.5.1 Documented Information: This control is the requirement to document the information security management system (ISMS).
- ISO 27001:2022 Clause 7.5.2 Creating and Updating Documented Information: This control is about having clear rules on how to create and update documents.
- ISO 27001 Clause 7.5.3 Control of Documented Information: This controls sets the rules for how to control access to documentation.
