ISO 27001 Information Security Management Standard - Clause 7.5

Posted by Craig Thornton

Part 20 - Clause 7.5 Documented Information

As far as clauses go, Document Information has to be right up there on an over thinker’s worst nightmare list.

Have you documented enough? Have you documented too much? Have you documented your processes to satisfy the standard, but in reality, do something completely different...?

Confidential Concept. Colored Document Folders Sorted for Catalog. Closeup View. Selective Focus.

These questions, and questions like them are pretty common. So, what does the standard actually say –

The organisations information security management system shall include:

  1. Documented information required by this International Standard 
  2. Documented information determined by the organisation as being necessary for the effectiveness of the information security management system. 

From this we know that ISO 27001:2013 has some mandatory documentation requirements. If documentation is required as part of the standard then this will be identified within the relevant clause, the same goes for any records or results that the organisation is required to retain. Knowing this makes meeting part a) pretty straightforward.

It’s part b) where things can start getting a little bit out of hand. This is due in part to the fact that the level of documentation needed can vary depending on things like, the amount of staff or the intricacy of an organisations processes - it puts the onus back on the organisation to determine what their needs are.

A good place to start is to refer back to your Statement of Applicability refer to Part 14 of this blog series for tips on getting this underway

It’s so important to get the SoA right, because it’s this that identifies the controls from Annex A that are going to be applicable to your organisation and therefore determines the documentation (incl. records & results) needed for your ISMS to be effective.

When it comes to creating and updating your documentation, the standard essentially asks for three things –

  1. The documentation to have a clear description and identifier (i.e. title, reference number etc.)
  2. The format to be appropriate for the audience (i.e. language and/or media used)
  3. Evidence that the documentation is being reviewed and approved for suitability

 No too much to ask really. At Mango we use our Documents module to manage this for us, it allows us to maintain consistency with the format of our policies and procedures and also lets us electronically stamp the document to show the creator, the reviewer and the publisher. We also use our Events module to ensure that we have reminders to review the documentation regularly and record any changes that are needed to be made.

Having an electronic documentation library also means we are able to link from within a procedure to another procedure, policy, external link or form etc. Auditors are fans of this because it stops organisations from having the same information repeated and reiterated throughout their ISMS.

The final piece of this clause is control of documented information.

To satisfy this requirement, any documented information required by your ISMS must have controls in place that allow it to be available to those who need it; while at the same time ensuring that the information is protected. Protection can relate to lots of different things from -

  • How the information is stored
  • How it’s changed
  • How long it’s kept for and,
  • How you delete it.

It pays to keep in mind that protection also extends to how your information is classified (i.e. public or confidential) and who has permission to make and/or approve changes.

So that’s it for the Documented Information clause, I think the requirements for this one are pretty clear, just remember - you want the standard to work for you not the other way around. If in doubt, don’t just create another document – read the standard, read the standard and read the standard...

 

Takeaways

Here is a list of takeaways that will help you achieve clause 7.5:

  1. Get all of the mandatory documentation in place
  2. Identify the controls that are applicable to you (SoA and Annex A)
  3. Make everything fit for purpose and reasonable
  4. Don’t just create documentation to appease the standard or Auditor, create it to add value to your organisation

View previous blogs in this series "ISO 27001 Information Security Management Standard":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security 

ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security

ISO 27001 Information Security Management Standard: Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values

ISO 27001 Information Security Management Standard: Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

ISO 27001 Information Security Management Standard: Principle 7 - Security incorporated as an essential element of information networks and systems

ISO 27001 Information Security Management Standard: Principle 8 - Active prevention and detection of information security incidents

ISO 27001 Information Security Management Standard: Principle 9 - Ensuring a comprehensive approach to information security management 

 ISO 27001 Information Security Management Standard: Principle 10 - Continual reassessment of information security and making of modifications as appropriate

ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4 of ISO 27001:2013 

ISO 27001 Information Security Management Standard: Clause 5.1 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 5.2 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 5.3 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 6.1 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 7.1 - 7.4 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 7.5 of ISO 27001:2013

Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification