Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Control of documents

  Quote
Guest
Guest user Created:   Jun 02, 2018 Last commented:   Jun 02, 2018

Control of documents

We are a small datacentre operating in XXXXX and we are in the process of implementing ISO27001. The business has grown from a small family company and thus lacks a lot of documentation (which is mainly in my head!).
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 02, 2018

My question is relating to the structure of the documentation, I'm writing the documentation on XXXX and it's going to be (initially) located in a XXXXX.

I want to make the structure as easy to ready/use as possible, so thinking of having sub-folders for the likes of Employee procedures, Data-protection policies, and then the ISMS.

However, some documentation which would be intended for Employee use (e.g. Computer Acceptable Use Policy) would also form a policy under the ISMS for ISO27001. The same applies for Data Protection Policies (such as Data Portability procedures) - this would be covered in the ISMS and Data Security, so I'm uncertain where to locate it.

I guess to cut a long story short, everything I've seen seems to suggest placing all procedures and policies in the ISMS folder but logically to me that would n't work.

Can you offer any advise?

Answer: ISO 27001 does not prescribe how you must organize your documents, so you can place them the way it will be more useful and easier to understand by your employees.

My suggestion to you is to keep in the ISMS folder only the high level policies and procedures (e.g., information security policy, document control procedures, internal audit procedure, etc.), and keep specific policies and procedures in the folders most related to them (e.g., the backup policy could be kept on the folder that contain the IT staff documentation).

These articles will provide you further explanation about document control:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 02, 2018

Jun 02, 2018

Suggested Topics

Guest user Created:   Dec 27, 2017 ISO 27001 & 22301
Replies: 1
0 0

Control of documents

Guest user Created:   Sep 06, 2019 ISO 27001 & 22301
Replies: 1
0 0

Document control