ISO27001 and the Documented Information Requirements

Like all ISO Management Systems your ISO 27001:2013 Information Security management System is going to need some documentation. The requirements of exactly what to document however are spread throughout the standard in each clause as requirements for documented evidence or records, typically prefaces with the words shall.

Clause 7.5 documented information of the ISO27001 standard then is not a list of what you need to have but more about how you manage your documented information. This clause is about what is required when creating and controlling documented information that is required to support your information Security Management System (ISMS), not what to write. That can create some challenges for people who find themselves afflicted with the need to write and document everything and those who just do not want to write anything down.

The level of documentation that you need is really determined by a few things in your own organisation; how large is it, how complex are your processes and systems and of course how competent are your people. If you have a 6 people in your organisation, all in the same office space, who have complete mastery of all that you do then maybe you do not need to write too much down. Conversely if you have 500 people spread across the country with a range of competence of "I managed to get matching socks today" to "International expert" then maybe you want to write down a few more things just to get consistency and help with training. At the end of the day, after you tick off the must do items to meet the ISO27001 requirements, what else you document for your Information security management System is entirely up to you, which can be unnerving for some.

To help understand exactly what you need to document for your system you need to go back to your Statement of Applicability (SoA) that is a key requirement of clause 6.1 of the standard and we talked about it in ISO27001 and the Actions to Address Risk & Opportunities. You need to spend the right amount of time getting your SoA right, that's where Annex A of the ISO27001 standard comes into its own, as it is all there, you just need to decide what is going to be applicable for your organisation. Once you have decided you can then decide what documentation you need to support your ISMS.

Creating and Updating Documented information

ISO27001 does not care what format your documented information is in, as long as it is appropriate for your organisation and of course that people can use it. It does care about how you create it and update it, however.

There are 3 things you need to focus on here.

1. Identification & Description – You need to ensure each document is clearly and individually identified, the ISO27001 doesn't really care how you do it but it gives some examples of what you would expect a document name, date which is typically publication date, author or a reference number would be needed to make it individually identifiable. For me, having a Document number makes life simpler, a title helps and knowing who wrote it and when are also helpful and easy to do.
2. Appropriate Format – How is the information presented, is it paper, electronic, is it a particular version of software or perhaps a specific language i.e. if you are an English speaking organisation but the document is in French you may struggle to comply, or if you write it in high level industry technical jargon rather than something everyone can understand, it may be in paper or in PDF you need to decide for your organisation.
3. Review & Approval - all items need to have been reviewed for suitability and adequacy by someone who knows if they are or not, in other words, are they fit for purpose. Once reviewed you should be able to show that it has been checked and then approved.

  Control of Documented information

As you can imagine control of your documented information is pretty important, this is an Information Security management System after all so not controlling your documentation would be a bit of an oxymoron really.

Again, the ISO27001 standard is pretty clear on what is expected of you in terms of controlling your documented information:

You have to make sure that it is available and suitable for use where and when it's needed, that means that someone wouldn't have spend an hour hunting down the procedure only to find it is in the wrong language or a scrunched-up bit of paper.

You need t ensure that it is protected in terms of loss of confidentiality, improper use or integrity i.e. it can't be changed without going through the proper steps. For paper based systems that can be hard, you can photocopy them till your hearts content or just scribble your notes on them that you really follow. For those living in the world of storing multiple word files on the server or even in something like sharepoint you need to think carefully about how you stop things being emailed out, copied, altered and so forth.

That leads us into the next two requirements; c) distribution / access / retrieval and use plus d) storage and preservation (including legibility). Which means you need to ensure that people can only access the things they are allowed to access, that they access the right version when they do access it and that it can't be changed or become unreadable. Again, just listing things in your network drives makes this a tricky one to tick off as being able to meet.

The final two requirements are about e) control of changes and f) retention and disposition. Control of changes is critical, if it's your processes and procedures you need to carefully manage any updates that you do and push them through your review and approvals process, if it's software then of course you need very tight revision control and software release methodology to factor in. Once you have your documented information how long do you keep copies of it, how many past versions, where do you keep them? When you do decide to update your system for example and it's a paper based one who is responsible for going round the entire organisation and getting every physical copy and then destroying them?

When you think about these last 6 things it becomes increasingly obviously that a paper system is not the way to go and just structuring things into a folder on your server is also pretty risky. Having a dedicated QMS Software like Mango QHSE for example starts to really excel here as it handles everything that we have just talked about automatically for you which means you can focus on the more detailed parts of your ISO27001 Information Security management System.

The final think to remember about ISO27001 clause 7.5 for documented information is that it's not just about your documented information. It also covers the requirement to control external documentation as well. If you have determined a particular bit of information as important to your ISMS then you need to manage it in the same way with the same controls as your own documented information. For example you should have a copy of ISO27001 in your system, it needs to be controlled and up to date just like your other documentation.

Some Free Resources

We have put together some free resources that may be of help: