Documenting the record control
Assign topic to the user
Answer: Yes, you are right - this is the requirement from ISO 27001:2005.
So it is safe to say that an organization shall have five documented procedures. In addition to the four which you have mentioned plus one for records control. Of course the organization has the flexibility to have one documented procedure for document and record control.
Answer: I agree with you only partially - you could write a fifth procedure for records management, however best practice is to document records management in each policy or procedure which requires creation of records. For exampl e, if your Access control policy requires written approval of privileges, then this same Access control policy can define how these approval records are created, where they are stored, how are they protected, etc.
In most cases, you would create a table at the end of each policy/procedure where you would specify those rules for all the records.
(By the way, ISO 27001:2013 does not require documenting 4 mandatory procedures you referred to - this was the requirement from the old ISO 27001:2005.)
Comment as guest or Sign in
Jan 12, 2016