What kind of Document Management System (DMS) do you need for handling ISO 27001 documents?

If you’re starting to implement ISO 27001, one of the first concerns you probably have is how to handle the policies, procedures, and other documents you’ll produce.

Should you use Dropbox? Or SharePoint? Or simply keep the files on a local disk and deliver them through email? This article helps you make the right choice about your ISO 27001 DMS.

What does the ISO 27001 standard require of a DMS?

Let’s first look at what exactly you need to comply with. Clause 7.5 (which specifies how to handle “documented information” in most of the ISO management standards) requires you to have a system that complies with the following:

  • Clearly identifies each document – e.g., document name, date, author, etc.
  • The changes are controlled and identified
  • Enables the reviewing process of documents and also their approval
  • Enables distribution and access to, and retrieval of, the documents
  • Makes sure the documents are available to everyone who needs them when required
  • Ensures the confidentiality (i.e., that only certain people are allowed to see the documents) and their integrity (i.e., that only certain people can change the documents)
  • Allows different formats of documents – e.g., PDF, text, spreadsheets, and different media (e.g., paper and/or electronic)
  • How the documents are stored and preserved
  • Retention and disposition

All of this should be enabled not only for the company’s internal documents, but also for external documents that are important for their management system.

What kind of Document Management System (DMS) do you need for handling ISO 27001 documents? - Advisera

How does this look in real life?

It is easy to have a system that clearly identifies name, author, and date of each document – the only thing is, it is also useful to include the status of each document; for example, in Conformio, we did it like this:

Conformio’s document management system
Figure 1. Conformio’s document management system
Managing documents in Conformio’s Document Wizard
Figure 2. Managing documents in Conformio’s Document Wizard

You can identify changes in the documents by simply checking the Change History table in the document itself. Of course, all changes and previous versions of the document should be available if you want to revert to the old version. Conformio stores all versions of the same document, to which you can always go back by simply checking the Change History table of the document.

Change history in Document Wizard
Figure 3. Change history in Document Wizard

The Conformio Document Management System takes care of storage and preservation of documents (this ISO 27001 requirement is more problematic with paper documents). Finally, retention and disposition of the documents is also more problematic with paper documents; with digital documents, you can simply define how long you keep certain kinds of records, and then delete all that are older than, e.g., 3 years – again, very easy in any DMS or file management system.

So, what should you actually do?

When you read the requirements of ISO 27001 closely, you’ll notice that you can use any solution – Dropbox, SharePoint, your local disk, or any other solution – because these requirements are mostly common sense.

So, the point is – you have quite a lot of freedom in choosing the Document Management System that is the most appropriate for you. In other words, you should find a solution that makes it easier to you to comply with ISO 27001 requirements – but, more importantly, one that your employees will find easy to use.

Advisera Rhand Leal

Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.
Read more articles by Rhand Leal