How should you keep your ISO 27001 documents – in the cloud or on paper?

Many organizations in today’s world implement and maintain ISO 27001. To prove compliance with the standard, some organizations use paper-based documents (this is becoming more and more rare these days), some use a combination of electronic documents and paper-based documents (maybe the most common practice), and others rely solely on electronic documents (this is the trend, and will become standard in the near future).

As information technology has paved the way for automation and revolutionized many fields (e.g., robotic surgery, pilot-less drones in modern warfare, easy-to-use online banking, etc.), a transformation has taken place for ISO 27001 compliance as well. Extensive use of information technology and, particularly, cloud solutions (such as SaaS, i.e., Software as a Service) is present in the compliance with ISO 27001, and is becoming inevitable. Let’s see what options are available, and how companies gain advantages with managing ISO 27001 documentation properly.

Burden of paper-based documentation

I’m aware that many people like to hold a piece of paper in their hands, but there are many problems with paper-based documentation when implementing and maintaining ISO 27001-based management systems. Here are the three most prominent issues:

  1. Labor-intensive paper requirements, and physical movements – paper-based documentation requires a number of paper documents with work needed to run the system. The labor need is usually even more intensive—if a procedure (or some other document) needs to be revised, the initiator has to raise a document change request to the concerned department, which is then reviewed by the departmental head and then forwarded for approval from the General Manager or CEO. After approval, the employees responsible for ISO 27001 documentation issue a new document to different distribution points and old, obsolete copies are recalled. The physical movement from department to department involves non-value actions.
  2. Audit observations in paper-based systems – paper-based documentation raises many challenges during audit observations; e.g., auditors could find non-conformities due to different versions of the same document being utilized on the production floor, an old version being utilized on the floor, two documents having been assigned the same document control number, etc. These are common audit observations in many companies managing ISO 27001 compliance via paper-based systems.
  3. Corrective Action Requests require exhaustive efforts – managing Corrective Action Requests (CARs) with paper-based documents is also difficult. Sometimes the due date of the corrective action is not met, sometimes the concerned assignee uses delay tactics in acknowledging it, and so several CARs may remain unresolved upon audit or Management Review.
How should you keep your ISO 27001 documents - in the cloud or on paper? - Advisera

Software applications for managing ISO 27001 documentation as an alternative to paper systems

Ideally, software solutions should solve non-value activities like physical movements for review and approvals, physical recall and distribution of documents, audit observations for document control, and exhaustive efforts for corrective actions. The ideal software applications, whether locally hosted or cloud-based, should solve issues such as:

  • Labor and paper requirements, and physical movements – software applications should resolve the issue of extra labor managing the papers, documents, and printers. Software should provide a routing system that avoids physical movements to get the document reviewed and approved by concerned persons.
  • Audit observations – commonly, auditors observe different document versions implemented; therefore, availability of a single version at every point of use should be taken care of by the software itself. The ideal software should ensure that all readers and custodians of a document are working on the same version.
  • Corrective actions management – the ideal software should manage corrective actions inside the application by automating acknowledgement, follow-ups, action statements, and invitations.

How Conformio helps your company

Conformio is an example of a SaaS cloud-based system that offers a third-party compliance solution. It enables collaboration with teams, offers routing features, shows document status, and keeps track of all the changes in any document and events to be performed periodically (e.g., documentation review, performance monitoring and measurement, etc.). So, let’s see how compliant organizations can benefit from this cloud-based application:

  1. No labor, no printing hardware, no paper requirements, and no physical movements – Organizations manage the whole process of document control via an online application. So, there is no intensive labor requirement, no papers, no printing hardware, and—most importantly—no time-consuming physical movements.
Document routing and automation in Conformio
Figure 1. Document routing and automation in Conformio
  1. Common audit observations in paper-based systems evaporate – The current version of the document is centralized and accessed by all users due to cloud software, and changes are in-built and seen by every user of the organization. Thus, no audit observations occur like obsolete documents being used on the floor, two versions of the same document, etc.
  2. Corrective Action Requests become easy to manage – The ISO 27001 managing department doesn’t have to follow assignees using “detective techniques.” It routes the corrective actions to the assignee (as shown in Figure 2); therefore, no delay tactics are valid.
Corrective action management through Conformio
Figure 2. Corrective action management through Conformio
  1. Scheduling of recurrent tasks doesn’t make your documents useless – To keep ISO 27001 documents updated and relevant to the organization, many activities must be performed regularly (e.g., document review, performance monitoring and measurement, management review, etc.), and Conformio can help you with those by using the parameters you set in your documents to build a schedule when all these tasks must be performed.
Scheduling of recurrent activities through Conformio
Figure 3. Scheduling of recurrent activities through Conformio

Document management made easier

Conformio can be considered as an automation tool that saves a lot of time and a lot of money for a company that opts to implement a user-friendly system that caters to the requirements of a changing world. In such way, the ISO 27001 management department focuses more on providing value instead of focusing on non-value paper-based requirements.

When implementing or managing ISO 27001 documentation, the conventional way of handling paper-based documents simply shows many disadvantages. Online ISO 27001 tools, as an alternative, accelerate a company’s activities and focus on adding actual value instead of coping with the challenges of paper-based systems.

Advisera Rhand Leal

Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.
Read more articles by Rhand Leal