Guest user Created: Apr 14, 2022 Last commented: Apr 14, 2022

Creating, reviewing, and approving documents

Who shall create, review, and approve documents (i.e., policies and procedures) for ISO 27001? The practice in our organizations is that all Corporate Service Unit Heads that would be affected by the documents need to sign will be "Endorsers" for the documents. I would like to propose that they minimize number of approvers. But I need justification for the proposal. I just need a justification for reducing number of signatories for the documents so that the routing would be lessen. I mean the governance team would be the signatories instead of a lot in the list.

0 2

Assign topic to the user

Select user

Expert

Rhand Leal Apr 14, 2022

Except by the top-level Information Security Policy, which is required to be approved by top management, ISO 27001 does not prescribe who needs to create, review, and approve documents for ISO 27001, so organizations can define these roles as best they fit their needs.

Considering that, operationally speaking, you can justify that the reduction of the number of signatories will make the approval process more efficient.

Good practice is that one person from the top management approves the document, and a couple of relevant people review the document before it is approved - this makes the process faster, and the documents better.

For further information, see:
- How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Apr 14, 2022

Expert Advice Community