The ISO 27001 & ISO 22301 Blog

Dejan Kosutic

Document management in ISO 27001 & BS 25999-2

Why is it that ISO 27001 and BS 25999-2 put such an emphasis on the control of documents? Both standards define very strictly how the documents must be managed, and require that the organization must have a documented procedure for managing documents – even worse, you won’t get certified unless you have such a procedure.

Documents can be in various forms – paper documents, text or spreadsheet files, video or audio files etc. Not only must an organization manage internal documents (for example, various policies, procedures, project documentation etc.), but also external documents (for example, different types of correspondence, documentation received with equipment etc.). In other words, managing the documents is quite a complex and comprehensive task.

So why is it important to manage those? Well, did you ever find yourself in a situation when you didn’t know where to find some important document? Or you found out that your employees were using a wrong (older) version of a procedure? Or some employees didn’t receive an important procedure at all? Or perhaps it wasn’t clear what was the version of this procedure? Or some confidential document was distributed to wrong people? If you never found yourself in those problematic situations, you probably did experience this one – your procedures are simply not up-to-date.

If you don’t have a systematic approach for managing your documents, you will probably recognize yourself in some of these situations – therefore, ISO 27001 and BS 25999-2 require organizations to introduce such a systematic approach by writing down a procedure for document management.

This procedure must clearly define responsibilities for the documents – who can approve them, how they are distributed and archived, how they are kept up-to-date, which versioning system is in use, how you track changes to documents, what you do with external documents, etc.

Since document management is such an essential thing, be sure that the certification auditor will not only look for such a procedure, but also examine whether your documentation is really managed as you have defined in your document management procedure. Introducing this procedure will probably mean that you will have to change your system for handling documents, that you will have to store documentation on your intranet or implement a more complex document management system, and that you will have to organize the archive for paper documents.

When you start implementing ISO 27001 / BS 25999-2, you start seeing the importance of writing things down, but you also see that those written things must be organized unless you want to lose control over them. The documents are in fact the bloodstream of your management system – take good care of it if you want your system to remain healthy.

To manage your documents more easily, check out this Conformio document management system.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

2 responses to “Document management in ISO 27001 & BS 25999-2”

  1. shrife azmy says:

    Dear Mr. Dejan,
    thank you for the helpful article, I have one inquiry, If my company is using a standard template for policies and procedures and we want to change this template to satisfy both business & ISO needs, if we have the new template approved via defined formal channel as described in our document control procedure, shall we now change all the existing policies and procedure with the new template or we can state in our document control procedure that starting from “A defined date” any new or updated policy/procedure shall use the new template?
    please note that both templates fulfills ISO 27001 requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.