Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Documented information vs. documents and records in ISO standards

Many organizations implementing ISO standards find it difficult to understand the term “documented information.” This confusion arises because the term replaces the previously used terms “documents” and “records.” This article will explore the difference between these terms and why introducing “documented information” was necessary for ISO standards. Additionally, we will discuss the importance of documented information for ISO standards and its role in performing the activities.

What is ISO documented information?

In ISO standards, documented information refers to information controlled and managed by an organization, including policies, procedures, and records. It replaces the terms documents and records to better reflect the evolving nature of information and its management.

Documented information vs. documents and records in ISO standards

“Documents” and “records” are terms used in various ISO management standards, including ISO 27001 and ISO 9001. These terms refer to different types of information managed by an organization.

Documents are used to communicate the internal rules of a company and can include:

  • policies
  • procedures
  • manuals
  • working instructions

Records are used to provide evidence of activities and results, for example:

  • audit reports
  • training records
  • incident reports
  • corrective actions

What is documented information?

In ISO standards, “documented information” refers to information controlled and managed by an organization, including policies, procedures, and records. It replaces the terms “documents” and “records” to better reflect the evolving nature of information and its management.

This diagram shows documented information replacing terms document and records

Why introduce the term “documented information”?

If documented information only covers documents and records, why did ISO standards introduce this term in the first place?

The introduction of “documented information” in ISO standards was necessary because it reflects the evolving nature of information and its management more accurately. In some cases, there is a mix of documents and records, making it challenging to differentiate between the two.

For example, let’s take a look at the Statement of Applicability (SoA):

  • Listing the controls, their applicability, and justification for implementation in the Statement of Applicability – this makes the SoA a document.
  • When you add the status of each control (which changes all the time) in the SoA – this makes the SoA also a record.

Another example is the Risk Treatment Plan, which lists the controls to be implemented, deadlines, responsible persons, and the budget. Listing all of these things would make it a plan (a document); however, noting down when the implementation of a particular control was completed and what the results were makes this Risk Treatment Plan a record at the same time.

Documented information vs. documents and records in ISO standards - Advisera

Importance of documented information for ISO standards

Documented information is important for ISO standards because it specifies exactly what needs to be done and records key activities to prove compliance.

For example, in a large company, it would be very difficult to explain to employees which backup technology to use and how to perform backup without having a Backup Policy.

If there were no backup logs, it would be almost impossible to determine whether the backup was actually done and if it was done regularly.

The documented information, therefore, becomes the beginning and the end of your compliance activities. But beware, without actually doing all those activities, documented information would make no sense – therefore, what you do in the middle is the most important.

To get the templates for all mandatory documents and the most common non-mandatory documents, along with an interactive wizard that helps you every step of the way on your certification, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic