ISO 27001 & 22301 - Expert Advice Community

Documents and records

1 - A further point to the below on when a document can become a record.

This is the principle in the document change history section of documents, that I’ve been basing our document version control journey on:

V0.1, v0.2, v0.3, v0.4 = Drafts

V1.0 = Approved version based upon v0.4

V1.1, V1.2, V1.3 = Updates to the v1.0. Draft status.

V2.0 = Approved version based upon v1.3

V2.1, V2.2, V2.3, V2.4 = Drafts

V2.4 is reviewed and approved

V3.0 = New approved version.

I had thought that as soon as a document has approved status then it becomes a record. At that point the document which is now in the record log, is subject to the controls re assigning an owner that must check the content on a given review date to ensure that the information and data contained with the document is accurate, current and relevant.

From the advice you have given, I realise I have miss-understood what a record can be and also the control that applies to records. The above example of a document, from what you are saying, is not to be considered a record. However, the quality control still needs to take place to review all documents that have information and data in for their accuracy and relevance etc.?

2 - Records cannot be edited or amended and they have retention periods, whereas documents are only required up until the point that they are useful to the business. Therefore, all previous versions of documents can be archived or deleted. Is this a correct statement?

3 - A secondary point, is the above example of version control a good practice approach or am I leading our team down the wrong path?

Change management

May I ask if change management is required by ISO 27001? If yes, could you please share your resources with me?

Is it necessary to supply the assessor with a record of the router configuration?

Hi. I have a question relating to ISO27001. Under an ISO audit, is it necessary to supply the assessor with a record of the router configuration?

ISO 27001 Asset-based risk assessment

Quick question, please. When doing an ISO 27001 Asset-based risk assessment, do I keep the assets that have no impact on information security still in the risk assessment matrix or do I only keep assets that have an impact on information security

Define and formalize a Top Management involvement strategy

Hello,

Can you please advise me how to define and formalize a top management involvement strategy?

Information Security Incident or Business Continuity Disruption

If a customer has a business continuity disruption that affects the availability of information, must they log it as an InfoSec incident AND a BCMS Disruption?  How should they go about assessing which system to manage it under?

List of referenced risks and numbers

)n the example of the Risk Treatment Plan used in the ISO 27001 online training, there was mention of reference to risks like:-
Risk no 16. Unavailability of electronic records due to accidental loss.
Risk no 32. Laptops could be stolen by external persons.
How do I get a list of this referenced risks and numbers?

Key elements of ISO 27001

he Ministry of Justice is requiring ISO27001 of the charities providing resettlement services, some as small as £100k turnover.

I have been asked, for tomorrow, to explain it to them. What are the key elements that I could explain in 5 minutes?

Looking online i see a lot about process and reports, not much about what technology they have to have in place.

Hope you can help!