Dear support,
I see that Document Control is not on the list of mandatory documents.
Do we still need that division by confidentiality levels, or we can proceed without this procedure?
Or maybe it is highly recommended?
We are already 9001 certified, and not using the Document control procedure there.
Thank you!
Assign topic to the user
First is important to note that Document control and confidentiality levels (i.e., information classification) are different things.
Control of documents and records is a requirement of the standard (one that does not require to be documented), while information classification is one of the information security controls from ISO 27001 Annex A.
Considering that, the use of the information classification control to identify confidentiality levels is needed only if your organization has relevant risks, or legal requirements (e.g., laws, regulations, or contracts) demanding the implementation of this control. If no such situations occur, you do not need to implement information classification.
This article will provide you a further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Comment as guest or Sign in
Oct 28, 2020