If you’re starting to implement ISO 27001, one of the first concerns you probably have is how to handle the policies, procedures, and other documents you’ll produce.
Should you use Dropbox? Or SharePoint? Or simply keep the files on a local disk and deliver them through email? This article helps you make the right choice about your ISO 27001 DMS.
What does the ISO 27001 standard require of a DMS?
Let’s first look at what exactly you need to comply with. Clause 7.5 (which specifies how to handle “documented information” in most of the ISO management standards) requires you to have a system that complies with the following:
- Clearly identifies each document – e.g., document name, date, author, etc.
- The changes are controlled and identified
- Enables the reviewing process of documents and also their approval
- Enables distribution and access to, and retrieval of, the documents
- Makes sure the documents are available to everyone who needs them when required
- Ensures the confidentiality (i.e., that only certain people are allowed to see the documents) and their integrity (i.e., that only certain people can change the documents)
- Allows different formats of documents – e.g., PDF, text, spreadsheets, and different media (e.g., paper and/or electronic)
- How the documents are stored and preserved
- Retention and disposition
All of this should be enabled not only for the company’s internal documents, but also for external documents that are important for their management system.
How does this look in real life?
It is easy to have a system that clearly identifies name, author, and date of each document – the only thing is, it is also useful to include the status of each document; for example, in Conformio, we did it like this:
You can identify changes in the documents by simply checking the Change History table in the document itself. Of course, all changes and previous versions of the document should be available if you want to revert to the old version. Conformio stores all versions of the same document, to which you can always go back by simply checking the Change History table of the document.
The Conformio Document Management System takes care of storage and preservation of documents (this ISO 27001 requirement is more problematic with paper documents). Finally, retention and disposition of the documents is also more problematic with paper documents; with digital documents, you can simply define how long you keep certain kinds of records, and then delete all that are older than, e.g., 3 years – again, very easy in any DMS or file management system.
So, what should you actually do?
When you read the requirements of ISO 27001 closely, you’ll notice that you can use any solution – Dropbox, SharePoint, your local disk, or any other solution – because these requirements are mostly common sense.
So, the point is – you have quite a lot of freedom in choosing the Document Management System that is the most appropriate for you. In other words, you should find a solution that makes it easier to you to comply with ISO 27001 requirements – but, more importantly, one that your employees will find easy to use.