Documents - Classification plan & storage for process documents like policies
Assign topic to the user
1 - Here is the practice I've found (part 1) : After reading one of your article (https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/) I found that I just had to cut thinks in smaller pieces. Your article is also a nice argument since the architect manager had told me he prefers bible documents, and my manager doesn't like the idea at all. That article really is a great help for me. Thanks for writing it. You're the only expert to provide such information on policies organization. After reading an article from another expert I've also decided to cut the documents per Management System and to respect an integration logic. Here are the systems to integrate at the document level I've already listed : QMS, SMS, ISMS, PMS, UMS, CMS, OHSMS, FSMS, EMS. I hope this is the good logic since your article is not covering the integration aspect of policy management. What's your opinion ?
Your logic is sound because you are separating the systems according to their core processes.
Regarding integration of policy management, ISO management systems have a lot of requirements in common, which allow using single documents with minor adjustments to cover core issues from several management systems (e.g., document and record control, internal audit, management review, corrective actions, etc.).
For further information, see:
- How to implement integrated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/
Here is where I'm stuck : For the moment I've found that documents storage should be organized with a classification plan that should reflect the processes logic. It sounds quite reasonable even if it is hard to visualize a SharePoint site design per processes. I've also found that policies are produced by pilot processes. So OK but policies are also used by operational managers as entry points when designing their own processes. From that on I'm stuck. How do classification plans manage the documents that are shared between processes owners ? I've not been able to find example of IT documentation storage yet to help me find the answer to that question or to find out if the "process logic" was the correct goal for IT processes document classification. Is there something about classification plans of processes documents in security standards ? Can you give me hints or advice so I can start writing a classification plan that can be used by SharePoint experts to build a nice & secured documentation site to host the old documents and the new policies ? Thanks.
If I understood correctly, you are asking about access control management. ISO 27001 does not prescribe how to do that, only main guidelines on what you need to achieve, so you can use any logic that fits the organization's needs.
Considering that, to build the structure you need to allow people to have access only to the documents they need to do their work, you should consider developing access control profiles according to required needs. In this case, you should:
- list all documents that need to be accessed
- identify which roles/persons need to access each document, and with which rights
- group documents that have similar access requirements in profiles
As for roles/persons you can have, for example, developers, managers, architects, a specific person, etc. As for access rights you can have, for example, read access and edit access.
As for the idea of “process logic”, you can use them as a base for your profiles. Something like:
- Pilot processes: roles/persons that need to develop/edit all documents
- Pilot processes – step 1: roles/persons that need to develop/edit documents related to step 1
- Pilot processes – step 2: roles/persons that need to develop/edit documents related to step 2
- Pilot processes – step n: roles/persons that need to develop/edit documents related to step n
- Operational processes: roles/persons that need only read access to all documents
- Operational processes – step 1: roles/persons that need only read access to documents related to step 1
- Operational processes – step 2: roles/persons that need only read access to documents related to step 2
- Operational processes – step n: roles/persons that need only read access to documents related to step n
Since you’ve mentioned international access, you can further detail profiles by classifying them according to countries (e.g., Operational processes – step n – country m)
To see how this can be defined in terms of a policy, please take a look at this template: https://advisera.com/27001academy/documentation/access-control-policy/
For further information, see:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
Comment as guest or Sign in
Feb 01, 2022