Expert Advice Community

Guest

CISO and document management

  Quote
Guest
Guest user Created:   May 14, 2021 Last commented:   May 14, 2021

CISO and document management

Two questions arose regarding the documentation toolkit for ISO 27001:

1. Is it okay if a Chief Information Security Officer (CISO) also releases documents (instead of the CEO)?
2. Can we omit the chapter "Managing records kept on the basis of this document" for the document "00_Procedure_for_Document_and_Record_Control"?

Thank you in advance!

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 14, 2021

1. Is it okay if a Chief Information Security Officer (CISO) also releases documents (instead of the CEO)?

Answer: I’m assuming that by “releases” you mean “approves”.

Considering that, besides the Information Security Policy, which needs to be approved by top management (usually the CEO when the scope is all organization, or the top role in the ISMS scope when the scope does not cover all organization), ISO 27001 does not prescribe who needs to approve documents, so other documents can be approved by the CISO.

If by release you mean making documents available and communicating them to relevant personnel, these activities are usually performed by roles like the CISO, or the quality manager (top management usually only approves documents).

For further information, see:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/


2. Can we omit the chapter "Managing records kept on the basis of this document" for the document "00_Procedure_for_Document_and_Record_Control"?

Thank you in advance!

Answer: In theory, you can, but since it is highly unlikely an organization does not require any document of external origin for the purposes of its ISMS, you would need to register how to handle incoming mail (which is the record suggested for this section in this procedure) in some other place, what would only increase your effort to maintain documentation.

Examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, etc.)

For further information, see:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 14, 2021

May 14, 2021

Suggested Topics

Guest user Created:   Jun 18, 2020 ISO 27001 & 22301
Replies: 1
0 0

Policy author

Guest user Created:   Dec 04, 2019 ISO 27001 & 22301
Replies: 1
0 0

Roles in ISMS

Guest user Created:   Mar 19, 2021 ISO 27001 & 22301
Replies: 3
0 0

ISO 27001 questions