Document control
We have started the work and we do have the following question: when talking about the control of documents in paragraph 3 and 4 (internal and external documents) does that mean the ISO process documents or all documents within the organisation. I.e. Invoices/quotations/mail/ etc?
Assign topic to the user
Answer: ISO requirements for document control refer to:
- documented information required by the Standard (e.g., results of risk assessment and treatment, internal audit program and reports, etc.)
- documented information determined by the organization as necessary for the ISMS
Considering that, for organization's documents you must include only those related to the ISMS scope, i.e., those information you want to protect, and this most likely won't mean all information, either because it would be too expensive to protect all of them, or because the different values they have to the business.
This article will provide you further explanation about document control:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
This material will also help you regarding document control:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Comment as guest or Sign in
Sep 06, 2019