Get 4 FREE months of Conformio to implement ISO 27001

Why is ISO 27001 applicable also for paper-based information?

Although digital information has become the generally accepted standard for handling information, there might be situations where organizations still use paper-based information, and this documentation also must be protected according to its sensitivity and importance to the business.

While it may be perceived more as a standard related to digital information, ISO 27001, the leading ISO standard for the management of information security, also can be used to protect information in physical documentation. Thus, the ISO 27001 standard can be used against related threats and vulnerabilities in paper-based formats, and this article also shows how organizations can do that.

Examples of paper-based information

Some people may think that paper-based information is something from the past, and that the norm is now to keep all information in a digital format, but this is not true. Examples of sensitive paper-based information we can find in organizations’ daily activities are:

  • handwritten notes made by the CEO during the organization’s strategic meetings
  • initial storyboards or specifications for new products or systems
  • sticky notes used to track the progress of the most critical projects

As you can see, you can have sensitive paper-based information in situations where it may not be possible to make use of computerized information systems, or because it is easier or faster for a person to write the information down, or because systems used by the organization were not designed to work with them. So, you have to deal with such information in paper-based form and protect this information accordingly.

Main threats and vulnerabilities related to paper-based information

Paper-based information shares common threats and vulnerabilities with information that exists on other media but, by their very nature, some of these threats and vulnerabilities can bring more risk to organizations:

Human error. People can lose documents, misplace them, or fill out them incorrectly, which can cause a halt or bottleneck in business processes.

Natural causes. Paper documents are susceptible to damage from water, fires, or other natural causes, and for paper-based information of which the original version is the most important for the business, these events can be catastrophic.

Improper disposal. Properly destroying paper-based documents can be time-consuming, and this can lead people to discard such documents in ways that could make their contents easily recoverable. Depending upon the information discarded, this could compromise business strategies and marketing position, or impact employees’ or customers’ lives.

Can ISO 27001 protect paper-based information?

How ISO 27001 can help protect paper-based information

ISO 27001 is a standard that aims to protect information regardless of its form, which means that both the requirements in its main sections and its controls, listed in its Annex A, can be applied to paper-based information also. Considering that, here are some elements from this standard that you can use to protect information stored on physical media:

Establishment and awareness of roles and responsibilities. By means of controls such as A.6.1.1 (Information security roles and responsibilities), A.8.1.3 (Acceptable use of Assets), and clause A.7.2.2 (Information security awareness, education and training), employees can better understand their roles in protecting information, thereby decreasing the chances of information compromise.

For more information, see this free Security Awareness Training program.

Establishment of practices to control documents and records. The standard requires, as stated in clauses 7.5.2 and 7.5.3, the establishment of appropriate practices to create, update, approve, make available, review, and discard information. When an organization adopts such practices, incidents like misplaced documents are avoided or easily detected. For more information, please read Records management in ISO 27001 and ISO 22301.

Information classification and handling. Not all information must be treated in the same way, and this can save you costs and effort in protecting information. By adopting controls from section A.8.2 (Information classification), an organization defines, using business-relevant criteria, what is the most important information, how it must be identified, and how it must be handled (e.g., how it must be stored, accessed, transmitted, discarded, etc.) For more information, please read Information classification according to ISO 27001. This is the point where organizations define the specific controls to be implemented (e.g., the use of dedicated rooms, shredders, etc.).

Because ISO 27001 does not provide specifics on how to implement controls, it is important to understand ISO 27002, a supporting standard that can provide guidance and recommendations for implementing controls. You also can rely on controls from other sources like the National Institute of Standards and Technology (NIST). For more information, read How to use NIST SP 800-53 for the implementation of ISO 27001 controls.

Never forget: Paper-based information also needs proper protection

Today we live in a connected world, with so much information at the tips of our fingers, and it is easy to forget that some business or activities still rely heavily on paper-based information. And, this forgetfulness can be a great risk for some organizations.

By adopting ISO 27001, a standard that does not rely on specific technologies, organizations can build a framework with organizational, technical, and physical controls to properly protect their paper-based information. With the support of policies, procedures, equipment, and the physical environment, adapted to the needs and objectives of the business, organizations can work within acceptable risks.

To learn how to protect both paper-based and digital information, see this free online training ISO 27001 Foundations Course.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.