How to manage documents according to ISO 27001 and ISO 22301

Documents play an important role in any business. As a means to deliver or store information, documents help people and organizations show and understand what is needed, what to deliver, what to do, and how to do it, supporting the achievement of desired objectives and outcomes.

So, ensuring that documents are managed effectively is a process that should be considered carefully by organizations. But how best to do that? This article will present how to handle documents in the context of ISO 27001 and ISO 22301, the leading standards for information security and business continuity.

How must documents be managed according to ISO 27001 and ISO 22301?
  • Distribution, access, retrieval, and use requirements
  • Storage and preservation requirements
  • Control of changes
  • Retention and disposition requirements

What are documents?

The ISO 27001:2013 and ISO 22301:2019 standards speak about documents in the context of documented information – where documents refer to both information required by the standards (e.g., ISMS Scope and Information Security Policy), and those defined as needed by the organization so it can operate (i.e., support policies, procedures, plans, and other similar documents that need to be written).
Documents can be in various forms – paper documents, text or spreadsheet files, video, audio files, etc. Not only must an organization manage internal documents (for example, various policies, procedures, project documentation, etc.), but also external documents (for example, different types of correspondence, documentation received with equipment, etc.).

Here you’ll find a list of all mandatory documents according to these two standards: List of mandatory documents required by ISO 27001 (2013 revision) and Mandatory documents required by ISO 22301 – these articles identify the minimum documentation you need to maintain if you want to comply with these two standards, as well as other commonly used documents that are useful, although not required by the standards.

Why is it important to manage documents?

Well, have you ever found yourself in a situation where you didn’t know where to find some important document? Or you found out that your employees were using the wrong (older) version of a procedure? Or some employees didn’t receive an important procedure at all? Or perhaps the version of the procedure wasn’t clear? Or some confidential document was distributed to the wrong people? Even if you’ve never found yourself in one of those problematic situations, you have probably experienced this one – your procedures are simply out of date.

If you don’t have a systematic approach for managing your documents, you will probably recognize yourself in some of these situations – therefore, ISO 27001 and ISO 22301 require organizations to introduce such a systematic approach for document management, although they do not require a procedure for document management to be written.

Because document management is such an essential thing, you can be certain that the certification auditor will examine whether your documentation is really managed, so you have to define how documents are handled, stored, and organized, either for electronic or paper documents.

How must documents be managed according to ISO 27001 and ISO 22301?

Requirements for a document management system compliant with ISO 27001 and ISO 22301 are almost the same. Here is what these two standards require for the control of documents:

  • Distribution, access, retrieval, and use – basically, you need to define who has the right to access the documents (e.g., by job title) and to perform which actions (e.g., edit, read only, etc.).
  • Storage and preservation – where the documents will be available and then archived (e.g., which computer, which facility), how they will be protected from unauthorized access (e.g., access control, encryption), and how to preserve their legibility to ensure the information is readable even if media become obsolete (such as old VHS video tapes).
  • Control of changes – if you edit a specific document (e.g., a procedure), you need to assign a new version identification (e.g., number) each time.
  • Retention and disposition – how long will a particular obsolete document be kept (e.g., 5 years), and how will you destroy such a document? (e.g., overwriting digital documents, or destroying paper documents in a shredder, etc.).

ISO 22301 and ISO 27001 Document management

How to implement document management in your company

Although the standards do not prescribe a written procedure for document management, you should consider writing one.

The reason is that, to make sure everyone understands how to perform document management, and to avoid your documentation becoming a mess, it is better to write a procedure that explains everything in detail.

Additionally, if only one person is responsible for document control, or if it is performed rather rarely, you’ll be able to continue if this person becomes unavailable, or if people forget how it is done.

Steps you should consider when developing this procedure are:

  1. define the responsibilities for document management;
  2. evaluate your business processes to identify how documents are currently received, processed, approved/rejected, stored, and deleted;
  3. adjust business processes according to the standard’s requirements for document management;
  4. identify documentation that needs to be controlled;
  5. write the document control management procedure.

The point of document management

When you start implementing an Information Security Management System, or a Business Continuity Management System, you start seeing the importance of writing things down, and the value that controlling that information can bring to your organization. Documents are, in fact, the lifeblood of your management system – take good care of them if you want your system to remain healthy.

To see how to distribute, store, preserve, control changes, retain and dispose of documents, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.