ISO 27001 Clause 7.5 – Documented information

The basics

ISO 27001 sub-clause 7.5 is called “Documented information” — it requires that documented information (i.e., documents and records) are created and updated so that they are clearly identified, properly formatted, reviewed, and approved. An organization must control its documents and records so that they are fit for use where and when needed, and are protected against damage or loss of integrity and identity — this includes the control of distribution, retention, access, usage, retrieval, preservation and storage, and disposition.

The requirements described above are defined in 3 sub-clauses of 7.5:

7.5.1 “General”
7.5.2 “Creating and updating”
7.5.3 “Control of documented information”

Documentation

ISO 27001 clause 7.5 Documented information requires writing the following documents:

Documents that the company itself concluded are necessary for performing security processes

The following document is not mandatory, and companies can decide whether to write it:

Procedure for Document and Record Control

Implementation

To comply with clause 7.5 Documented information, the best practice to implement document control by following these steps:

Find out if your company already has some rules on how to manage documents – where they are stored, who is responsible, how to approve them, etc.
Define the format for the documents.
Define who needs to approve the documents.
Define where to publish documents, and how to distribute them to relevant people.
Define how to withdraw obsolete documents from use.
Define who will be in charge of updating documents.

The best practice to implement record control is to follow these steps:

Analyze what kind of records or logs are used in a company.
Define whether the rules for control of records will be defined centrally (in one document), or in several documents that require the creation of particular records.
For each type of records define storage location, responsible person, controls for protecting the record, and retention time.

Audit evidence

When auditing the ISO 27001 clause 7.5 Documented information, the auditor might look for the following evidence:

documents and records required by the standard and those the organization defines as necessary for running the ISMS (clause 7.5.1)
how documents and records are created and updated (clause 7.5.2) – e.g., formatting, control of changes, reference number, review and approval of ISMS documents
how documents and records are controlled (clause 7.5.3) – e.g., distribution, access, retrieval, usage, storage and preservation, and disposal of the ISMS documents

These actions apply to documents and records, either from internal or external origin (clause 7.5.3), required by the standard and those defined as necessary by the organization itself for the operation of its ISMS (clause 7.5.1), to ensure that the latest version is available for use and adequately protected.

These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.

Products by framework:

By Type

Where to Start

Other

Solutions for industries:

Dejan Kosutic

Products

Resources

Standards & Regulations

Advisera

Help