Many organizations implementing ISO standards find it difficult to understand the term “documented information.” This confusion arises because the term replaces the previously used terms “documents” and “records.” This document will explore the difference between these terms and why introducing “documented information” was necessary for ISO standards. Additionally, we will discuss the importance of documented information for ISO standards and its role in performing the activities.
In ISO standards, documented information refers to information controlled and managed by an organization, including policies, procedures, and records. It replaces the terms documents and records to better reflect the evolving nature of information and its management.
Documented information vs. documents and records in ISO standards
“Documents” and “records” are terms used in various ISO management standards, including ISO 27001 and ISO 9001. These terms refer to different types of information managed by an organization.
Documents are used to communicate the internal rules of a company and can include:
- working instructions
Records are used to provide evidence of activities and results, for example:
- audit reports
- training records
- incident reports
- corrective actions
What is documented information?
In ISO standards, “documented information” refers to information controlled and managed by an organization, including policies, procedures, and records. It replaces the terms “documents” and “records” to better reflect the evolving nature of information and its management.
Why introduce the term “documented information”?
If documented information only covers documents and records, why did ISO standards introduce this term in the first place?
The introduction of “documented information” in ISO standards was necessary because it reflects the evolving nature of information and its management more accurately. In some cases, there is a mix of documents and records, making it challenging to differentiate between the two.
For example, let’s take a look at the Statement of Applicability (SoA):
- Listing the controls, their applicability, and justification for implementation in the Statement of Applicability – this makes the SoA a document.
- When you add the status of each control (which changes all the time) in the SoA – this makes the SoA also a record.
Another example is the Risk Treatment Plan, which lists the controls to be implemented, deadlines, responsible persons, and the budget. Listing all of these things would make it a plan (a document); however, noting down when the implementation of a particular control was completed and what the results were makes this Risk Treatment Plan a record at the same time.
Importance of documented information for ISO standards
Documented information is important for ISO standards because it specifies exactly what needs to be done and records key activities to prove compliance.
For example, in a large company, it would be very difficult to explain to employees which backup technology to use and how to perform backup without having a Backup Policy.
If there were no backup logs, it would be almost impossible to determine whether the backup was actually done and if it was done regularly.
The documented information, therefore, becomes the beginning and the end of your compliance activities. But beware, without actually doing all those activities, documented information would make no sense – therefore, what you do in the middle is the most important.
To get the templates for all mandatory documents and the most common non-mandatory documents, along with an interactive wizard that helps you every step of the way on your certification, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.