Part 20 - Clause 7.5 Documented Information
As far as clauses go, Document Information has to be right up there on an over thinker’s worst nightmare list.
Have you documented enough? Have you documented too much? Have you documented your processes to satisfy the standard, but in reality, do something completely different...?
These questions, and questions like them are pretty common. So, what does the standard actually say –
The organisations information security management system shall include:
- Documented information required by this International Standard
- Documented information determined by the organisation as being necessary for the effectiveness of the information security management system.
From this we know that ISO 27001:2013 has some mandatory documentation requirements. If documentation is required as part of the standard then this will be identified within the relevant clause, the same goes for any records or results that the organisation is required to retain. Knowing this makes meeting part a) pretty straightforward.
It’s part b) where things can start getting a little bit out of hand. This is due in part to the fact that the level of documentation needed can vary depending on things like, the amount of staff or the intricacy of an organisations processes - it puts the onus back on the organisation to determine what their needs are.
A good place to start is to refer back to your Statement of Applicability refer to Part 14 of this blog series for tips on getting this underway
It’s so important to get the SoA right, because it’s this that identifies the controls from Annex A that are going to be applicable to your organisation and therefore determines the documentation (incl. records & results) needed for your ISMS to be effective.
When it comes to creating and updating your documentation, the standard essentially asks for three things –
- The documentation to have a clear description and identifier (i.e. title, reference number etc.)
- The format to be appropriate for the audience (i.e. language and/or media used)
- Evidence that the documentation is being reviewed and approved for suitability
No too much to ask really. At Mango we use our Documents module to manage this for us, it allows us to maintain consistency with the format of our policies and procedures and also lets us electronically stamp the document to show the creator, the reviewer and the publisher. We also use our Events module to ensure that we have reminders to review the documentation regularly and record any changes that are needed to be made.
Having an electronic documentation library also means we are able to link from within a procedure to another procedure, policy, external link or form etc. Auditors are fans of this because it stops organisations from having the same information repeated and reiterated throughout their ISMS.
The final piece of this clause is control of documented information.
To satisfy this requirement, any documented information required by your ISMS must have controls in place that allow it to be available to those who need it; while at the same time ensuring that the information is protected. Protection can relate to lots of different things from -
- How the information is stored
- How it’s changed
- How long it’s kept for and,
- How you delete it.
It pays to keep in mind that protection also extends to how your information is classified (i.e. public or confidential) and who has permission to make and/or approve changes.
So that’s it for the Documented Information clause, I think the requirements for this one are pretty clear, just remember - you want the standard to work for you not the other way around. If in doubt, don’t just create another document – read the standard, read the standard and read the standard...
Here is a list of takeaways that will help you achieve clause 7.5:
- Get all of the mandatory documentation in place
- Identify the controls that are applicable to you (SoA and Annex A)
- Make everything fit for purpose and reasonable
- Don’t just create documentation to appease the standard or Auditor, create it to add value to your organisation
View previous blogs in this series "ISO 27001 Information Security Management Standard":