CHAPTER 8: DOCUMENTATION AND RECORDS

One of the key reasons for designing and implementing a management system is to enable the organisation to move beyond what is known, in the terms of the capability maturity model, as an ‘ad hoc’ organisation. An ad hoc organisation is one that has ‘no fixed processes, or procedures, results depend very much on individual performance, and a lot of people’s time is spent on “fire fighting”, fixing bugs in software, and resolving incidents’.¹

ISO9001:2008 is a well-known and widely implemented quality assurance or business process management system. If the organisation does not already have an existing ISO9001 certified management system and needs guidance on the documentation and document control covered by Clause 7.5 of ISO27001, then it should obtain and use the guidance in any current manual on the implementation of ISO9001.

Note that the ISO27001 specifications for document control (7.5.3) reflect those contained in ISO9001:2008, where they are numbered 4.2.3 and 4.2.4 respectively.

Document control requirements

ISO27001 explicitly requires the management system to be documented. Control A.12.1.1 explicitly requires security procedures to be documented, maintained and made available to all users who need them. Other explicit documentation requirements in Annex A include:

•  A.5.1.1: policies for information security;

•  A.6.1.1: documented roles and responsibilities for human resources security;

•  A.8.1.3: acceptable use of assets;

•  A.9.1.1: access control policy;

•  A.18.1.1: identification of applicable legislation.

Many of the other controls require ‘formal’ procedures or ‘clear’ communication; while these could technically be achieved without being documented, the expectation is that all processes and procedures will be.

Contents of the ISMS documentation

Documentation has to be complete, comprehensive, in line with the requirements of the Standard and tailored to suit the needs of individual organisations. The ISMS must be fully documented. ISO27001 describes the minimum documentation that should be included in the ISMS.

Not every organisation has to implement an equally complex documentation structure. The Standard notes that ‘the extent of documented information for an [ISMS] can differ from one organisation to another due to […] the size of the organisation and its type of activities and their interactions’.²

With the release of ISO 27001:2013, there is no longer a distinction between documents and records, and both are subject to the same requirements. Regardless, organisations may find it useful to maintain this distinction, especially if an ISO9001 Quality Management System (QMS) is in place, as this does maintain the distinction.

There are specific records that the organisation has to keep in the ordinary course of its business and these will be subject to a variety of legislative and regulatory retention periods. Records that provide evidence of the effectiveness of the ISMS are of a different nature from those records that the ISMS exists to protect, but, nevertheless, these records must themselves be controlled and must remain legible, readily identifiable and retrievable. This means that, particularly for electronic records, a means of accessing them must be retained even after hardware and software has been upgraded.

Annex A document controls

There are further document-related controls in Annex A that should be included in the document control aspects of the ISMS. They are all important controls in their own right. These controls are:

•  A.8.2.1: classification of information, which deals with confidentiality levels

•  A.8.2.2: labelling of information, which deals with how confidentiality levels are marked on information and information media

•  A.8.2.3: handling of assets, which deals with procedures for handling assets in accordance with their classification

•  A.18.1.3: protection of records, which deals with document retention

•  A.18.1.4: privacy and protection of personally identifiable information, which deals with the confidentiality of personal information.

¹ IT Service CMM: A Pocket Guide, Van Haren, 2004, page 24.

² ISO/IEC 27001:2013, 7.5.1, General, note b.