A.18.1.3 Protection of Records
Assign topic to the user
First is important to note that "ISMS documents" do not refer only to documents required by the standard (such as the Information security policy), but also to any other documents and records your organization sees as relevant to the ISMS defined purpose and objectives, like project specifications, contracts, etc.
Considering that, in case you identify relevant risks or legal requirements (e.g., laws, regulations, or contracts) demanding the implementation of control A.18.1.3 for these other documents, then you must apply the control to them also.
In case the documents and records are not related to the ISMS, you still can apply the control, as a good practice, but they will not have an impact on any certification process.
As for ways of protection of such documentation, some examples are:
- physical cabinets
- backup copies
- digital signatures
The choice of protection will depend on the risks identified during the risk assessment.
Comment as guest or Sign in
Apr 29, 2020