ISMS-DOC-07-3 Procedure for the Control of Documented Information

Procedure for the Control of

Information

Procedure for the Control of Documented Information

[Insert classification]

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

This document describes the controls in place for naming and versioning of documents and associated attributes.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

Support

Documented information

General

Creating and updating

Control of documented information

General guidance

You may decide to change the version control scheme suggested in this document if it differs from that already in use within your organization. If you currently have a quality management system in other areas of your business such as ISO9001 then it may be preferable to make use of existing procedures for document control.

Note that the printing and physical signing of approved documents is not a necessity; auditors will generally accept other methods of showing that a document has been officially approved such as digital signing and the use of an “Approved” folder structure.

You may find that many of the decisions about naming conventions for system generated records etc. have already been made by the developers of the software in use for example for security monitoring. However, you will still need to consider how to manage relevant records that are often fairly uncontrolled such as meeting minutes and reports.

You will need to establish the differing types of documented information you have and their owners before agreeing a consistent method of control. Ideally you will document any resulting procedures as part of the ISMS.

Procedure for the Control of Documented Information

[Insert classification]

Review frequency

We would recommend that this document is reviewed annually.

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Procedure for the Control of Documented Information

[Insert classification]

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.

Disclaimer

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Procedure for the Control of Documented Information

[Insert classification]

Procedure for the Control of Documented Information

Procedure for the Control of Documented Information

classification]

Revision history

Distribution

Approval

Procedure for the Control of Documented Information

[Insert classification]

1 Introduction

“Documented information” is defined by ISO as “information required to be controlled and maintained by an organization and the medium on which it is contained”. This term covers what used to be referred to as “documents and records” and for reasons of clarity this procedure still draws a distinction between these two types of documented information.

The use of documented information is an essential part of the Information Security Management System (ISMS) in order to set out management intention, provide clear guidance about how things should be done and provide evidence of activities that have been performed.

The ISO/IEC 27001 standard requires that all documented information that makes up the ISMS must be controlled to ensure that it is available and suitable for use, where and when needed, and is adequately protected. Such control is essential in order to ensure that the correct processes and procedures are always in use within the organization and that they remain appropriate for the purpose for which they were created.

The general principles set out in the standard and adopted within this procedure are that all documented information must be:

• Readily identifiable and available

• Dated, and authorised by a designated person

• Legible

• Maintained under version control and available to all people and locations where relevant activities are performed

• Promptly withdrawn when obsolete and retained where required for legal or knowledge preservation purposes

This procedure sets out how this level of control will be achieved within [Organization Name].

Procedure for the Control of Documented Information

[Insert classification]

2 Document control procedure

This procedure applies to “documents” (as opposed to “records” which are covered later) which are generally created via a word processor (or similar office application) and describe management intention such as policies, plans and procedures.

2.1 Overview

The overall process of control for documents is shown in the diagram below.

Procedure for the Control of Documented Information

classification]

Each of these steps is described in more detail in the remaining sections of this procedure.

2.2 Creation of documents

The creation of documents will be at the request of the [Organization Name] management team and may be done by any competent individual appropriate to the subject and level of the document. However, there are several rules that must be followed when creating a document to be used in the ISMS.

2.2.1 Naming convention

The convention for the naming of documents within the ISMS is to use the following format:

ISMS DOC xx yy( zz) Document Title Vn Status dd

Where…

• ISMS: Information Security Management System

• DOC: Document

• xx: Subject area reference (see Table 1)

• yy: Unique document number (or, for controls, a control reference)

• zz: for controls only, a unique document number

• Document Title: Meaningful description of document

• Vn: Version number

• Status: Status of document (Draft or Final)

• Dd: Number of draft, if applicable

A unique number will be allocated for each document and an index of document references maintained within the ISMS Quality System see Information Security Management System Documentation Log for more details.

Subject areas references are designed to map onto the sections of the ISO/IEC 27001 standard as follows (further subject areas may be created as required):

Procedure for the Control of Documented Information

Version Control

Document version numbers will consist of a major number only. For example, V2 is Version 2.

When a document is created for the first time it will have a version number of 1 and be in a status of Draft. Each time a draft is distributed, any further changes will result in the draft number being incremented by 1 for example from 1 to 2.

For example, when a document is first created it will be Version 1 Draft 1. A second draft will be V1 Draft 2 etc. When the document is approved it will become V1 Final.

The version number will be incremented when a subsequent version is created in draft status.

For example, a revision of an approved document which is at V1 Final will be V2 Draft 1 then V2 Draft 2 etc. until approved when it will become V2 Final.

Documents must include a revision history as follows:

VERSION DATE

REVISION AUTHOR SUMMARY OF CHANGES

Procedure for the Control of Documented Information

[Insert classification]

Once the document reaches its final version, only approved versions should be recorded in this table.

2.2.3 Document status

The status reflects the stage that the document is at, as follows:

• Draft: Under development and discussion i.e. it has not been approved

• Final: Following approval and release into live work environment

2.2.4 Documents of external origin

Documents that originate outside of the organization, but form part of the ISMS will be allocated a reference and a header page attached at the front of the document, setting out information that is normally included in internal documents i.e.:

• Document reference

Version

Date

Status

Distribution

Such documents will then be subject to the same controls as those that originate internally.

2.3 Document review

Draft documents will be reviewed by a level and number of staff appropriate to the document content and subject.

Guidelines are as follows:

DOCUMENT TYPE

REVIEWERS

of

of

of

of

Procedure for the Control of Documented Information

[Insert classification]

Once approved, the date of next scheduled review should be recorded in the Information Security Management System Documentation Log.

2.4 Document approval

All documents must go through an approval board to ensure that they are correct, fit for purpose and produced within local document control guidelines. The board will differ dependent upon the type of document and may go to numerous groups prior to being approved.

In standard terms, approval boards are:

DOCUMENT TYPE

Strategy

Policy

Procedure

Plan

Table 4: Document approval boards

APPROVERS

of

Each document that requires approval should have a table for the purpose as shown below:

NAME POSITION SIGNATURE DATE

Table 5: Document approval

Once approved a copy of the document must be printed and signed by the approver. [Note you may choose to do this electronically rather than by printing a copy]. This copy will then be retained in a central file

Upon approval of a new version of a document, all holders of previous versions will be instructed to obtain a new version and destroy the old one.

2.5 Communication and distribution

A distribution list will be included as follows:

Table 6: Distribution list

Procedure for the Control of Documented Information

[Insert classification]

TITLE

This list must be accurate as it will be used as the basis for informing users of the document that a new version is now available.

2.6 Review and maintenance of documents

All final documents must be stored electronically and in paper format both locally and off site to ensure that they are accessible in any given situation.

ISMS documents are stored electronically on the shared drive under the relevant sub folder (for example Management responsibility, Management review etc.). The drive is a shared drive to which all appropriate members of [Organization Name] have access, in line with the published Access Control Policy.

Final documents are stored in paper format in a filing structure that mimics the electronic version. [State the location of the paper files].

A full copy of final documentation will be reproduced and stored within the Definitive Media Library.

2.7 Archival of documents

Approved documents exceeding their useful life are stored in a Superseded Folder on the shared drive in order to form an audit trail of document development and usage. They should be marked as being superseded in order to prevent them being used as a latest version by mistake.

2.8 Disposal of documents

Paper copies of approved documents that have been superseded are to be disposed of in secure bins or shredded, in line with agreed Asset Handling Procedures

Procedure for the Control of Documented Information

classification]

3 Records lifecycle

This section describes the control of the type of documented information that generally shows what has been done i.e. is a “record” of activity, such as a completed form, security log or meeting minutes.

3.1 Identification

There is a variety of types of record that may form part of the ISMS and these will be associated with the specific processes that are involved, such as:

• Security incidents

• Change requests

• Configuration items

• Security event logs

In addition, there will be more general items such as meeting minutes which could apply across processes. In terms of identification, in many cases this will be dictated by the tool creating the record, for example a unique numbering system such as INC000001 for security incidents or CHG000001 for changes will be used by the tool.

For those records that are manually created the following rules will apply:

1. Meeting minutes will be named according to the subject of the meeting and the date

Reports will be named according to the subject of the report and the reporting period

3. Logs will be named with the title of the log and the date/time period covered

For any other types of record not covered, the creator should use common sense to ensure that the name chosen gives a good indication as to the contents of the file and it should be stored in a location relevant to its purpose.

3.2 Storage

Many records within the ISMS will be stored in application databases specifically created for the purpose for example the security incident database.

For non database records, a logical filing structure will be created according to the area of the ISMS involved.

[Describe the filing structure on your server in which you will store your ISMS records]

Where possible, all records will be held electronically; paper documents should be scanned in if an original electronic copy is not available.

Procedure for the Control of Documented Information

[Insert classification]

3.3 Protection

Records held in application databases will be subject to regular backups in line with the agreed backup policy. File storage areas will also be backed up regularly, with all latest backups held at an offsite location.

Access to the records will be restricted to authorised individuals in accordance with the [Organization Name] Access Control Policy.

3.4 Retrieval

Records will generally be retrieved via the application that created them for example the service desk system for security incidents and an event viewer for logs.

Reporting tools will also be used to process and consolidate data into meaningful information.

3.5 Retention

The period of retention of records within the ISMS will depend upon their usefulness to [Organization Name] and any legal, regulatory or contractual constraints. Security related service desk records are useful for historical trend analysis and so will be kept for a period of at least seven years. Care will be taken where records may have some commercial relevance in the event of a dispute for example contracts and minutes of meetings with suppliers and these should be kept for the same length of time.

Records that are particularly detailed and only relevant for a short period of time such as server event logs should only be kept if there is an immediate requirement for them.

Specific retention periods are set out in the Records Retention and Protection Policy

3.6 Disposal

Many systems provide for the concept of archiving and in most cases, this should be used rather than deletion. However, once it has been decided to dispose of a set of records, they should be deleted using the appropriate software for example the service desk system will provide a facility to delete security incident records.

If such records are held on hardware that is also to be disposed of then all hard disks must be shredded by an approved contractor.

Procedure for the Control of Documented Information

[Insert classification]

Paper copies of records that are to be disposed of should be shredded in line with agreed Asset Handling Procedures.