Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Documenting the record control

In my opinion, in addition to the four documented procedures which you had mentioned, an organization shall document and implement controls needed for the identification, storage, protection, retrieval, retention and disposition of records. While elaborating the controls, it will become mandatory to document the activities, responsibility, authority, time frame etc. Eventually it results in documenting and implementing a procedure for control of records.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Answer: Yes, you are right - this is the requirement from ISO 27001:2005.

So it is safe to say that an organization shall have five documented procedures. In addition to the four which you have mentioned plus one for records control. Of course the organization has the flexibility to have one documented procedure for document and record control.

Answer: I agree with you only partially - you could write a fifth procedure for records management, however best practice is to document records management in each policy or procedure which requires creation of records. For exampl e, if your Access control policy requires written approval of privileges, then this same Access control policy can define how these approval records are created, where they are stored, how are they protected, etc.

In most cases, you would create a table at the end of each policy/procedure where you would specify those rules for all the records.

(By the way, ISO 27001:2013 does not require documenting 4 mandatory procedures you referred to - this was the requirement from the old ISO 27001:2005.)

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community