CISO and document management
Two questions arose regarding the documentation toolkit for ISO 27001:
1. Is it okay if a Chief Information Security Officer (CISO) also releases documents (instead of the CEO)?
2. Can we omit the chapter "Managing records kept on the basis of this document" for the document "00_Procedure_for_Document_and_Record_Control"?
Thank you in advance!
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Is it okay if a Chief Information Security Officer (CISO) also releases documents (instead of the CEO)?
Answer: I’m assuming that by “releases” you mean “approves”.
Considering that, besides the Information Security Policy, which needs to be approved by top management (usually the CEO when the scope is all organization, or the top role in the ISMS scope when the scope does not cover all organization), ISO 27001 does not prescribe who needs to approve documents, so other documents can be approved by the CISO.
If by release you mean making documents available and communicating them to relevant personnel, these activities are usually performed by roles like the CISO, or the quality manager (top management usually only approves documents).
For further information, see:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
2. Can we omit the chapter "Managing records kept on the basis of this document" for the document "00_Procedure_for_Document_and_Record_Control"?Thank you in advance!
Answer: In theory, you can, but since it is highly unlikely an organization does not require any document of external origin for the purposes of its ISMS, you would need to register how to handle incoming mail (which is the record suggested for this section in this procedure) in some other place, what would only increase your effort to maintain documentation.
Examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, etc.)
For further information, see:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
Comment as guest or Sign in
May 14, 2021