ISMS: Documented Information requirements
Anyone familiar with operating to international ISO standard knows the importance of documented information (a.k.a. documents) for the information security management system (ISMS). Describing an organization's information security management system and demonstrating its intended achievements is one of the main requirements for the ISO 27001 standard certification. It is of utmost importance to document everything related to the ISMS and maintain and make them easily accessible to the relevant parties if the organization wants to achieve an ISO 27001 standard certification. Auditors take great confidence from a well documented and maintained information security management system. For this purpose, the ISO 27001 standard contains clause 7.5 Documented Information which is divided into three sub-clauses.
General documentation requirements for ISMS (Clause 7.5.1)
The standard requires an organization's ISMS to include all required documents determined by the organization to run its ISMS. In practice, the organization should develop requirements (a.k.a. controls) to manage documentation related to the ISMS. Usually, such requirements come in the form of policy or standard, e.g. ISMS Document Management policy.
Requirements for creating and updating documents for ISMS (Clause 7.5.2)
As mentioned above, the organization should have precise requirements to develop, update, maintain and communicate ISMS documents as required by ISO 27001 standard. The document should clarify requirements for identification and description, format, review and approval of documents for suitability and adequacy to serve its purpose. The other nuances of these requirements are document owner, change history, title, reference, exceptions, etc. The document approval process is also essential, which is required in Annex A 5.1.2.
Control of documents for ISMS (Clause 7.5.3)
The ISMS should be designed based on the Confidentiality, Integrity and Availability principle for the information. The same applies to the ISMS documents, they need to be available when required, adequately protected from loss of confidentiality and unauthorized change or potential integrity compromise.
Simply creating the ISMS documents on the team shared drive and having it uncontrolled or with ineffective permissions for access will certainly lead to problems for the organization during the audit. Similarly, leaving it on a personal drive inaccessible to those who need to know about the ISMS would equally be a problem. Therefore effectively controlling the ISMS documents is important. ISO 27001 standard certification looks for an organization to address the following aspects:
sharing and distribution clarity,
role-based access management to some or all of the ISMS documents for reading, editing, approving, deleting etc.
storage and preservation, including a history of changes (showing document versions, historical change approvals etc.)
retention and disposal of the documents.
These requirements align with the regular review of policies required in Annex A.5.1.2, which we will touch on separately.
Up next: How to manage ISMS documents and What auditors look for in your documentation. Stay tuned and contact us know if you have questions.