Documentation retention period
Assign topic to the user
Answer:
ISO 27001 does not prescribe retention periods for documents, but requires an organization to define them, and you can do that based on legal requirements (e.g., contracts, laws, regulations, etc.) the organization must comply with, business needs, and results of risk assessment.
As one example you can consider that for a ISO 27001 certified ISMS, you must retain obsolete documents at least for as long as the next certification audit is (i.e., a three year retention period).
This article will provide you further explanation about control of documents:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
This material will also help you regarding control of documents:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Comment as guest or Sign in
May 28, 2019