Documents from an external origin
We have acquired the ISO27001 Toolkit and started to fill out the documents.
Right from the first document (00_Verfahren_zur_Lenkung_von_Dokumenten_und_Aufzeichnungen_27001_EN) I have a question of understanding in Chapter 4. "Documents of external origin". Neither the standard nor the toolkit is clear enough for me what kind of documents it is "external documents". This is very important to us because we do not want to certify the entire company, but just a business unit. The secretariat/post office is not part of the scope and must be assigned an interface with the steering. That's why we want to spare ourselves something like an inbox register, or at least limit it to as few documents as possible.
After much internal discussion, we believe that these can only and exclusively be documents that are directly and directly related to the ISMS. So again to delineate clear: here is of documents and not records of the speech.
The standard says at this point:
"Documented information of external origin, which has been identified by the organization as necessary for the planning and operation of the ISMS must be appropriately identified and managed".
By planning and operating the ISMS we understand e.g. communication with the certification authority (sending the ISMS certificate) and any documents that are sent to us by authorities or lawyers and have a checking or changing an ISMS document result (legislative changes).
We are uncertain when handling customer and supplier orders. We are building the ISMS with the goal of making information security comprehensible to our customers in a single business area. From this point of view, the contracts with our customers and suppliers are the basis of our actions and the beginning of a relevant business process. But that's why such a contract would have to be regarded as a "record" and not as a "document". That We would not regulate this type of correspondence in the document handling document - external documents document but in the respective ISMS document (eg change management => recording of customer orders, invoices or supplier policy => recording supplier contracts), calculations, etc.)
Our actual question from this e-mail summarized again:
What type of documents must be included in the toolkit document "00" in the chapter "4. external origin "are mandatory to comply with the norm?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
First, it is important to note that as for "Documented information" the standard means both documents and records. Second important point is that the standard does not prescribe documents from external origin to be controlled, only that if the organization identifies such document they must be controlled. In short, it is your organization that must define which external documents are necessary to ensure your ISMS is properly planned, implemented and operated.
Regarding types of documents, your own question covered the most basic ones (considering the needs of your ISMS):
- Documents and records from legal authorities or regulators (including your certification body): your ISO 27001 certificate, the ISO 27001 standard, EU GDPR (so you can have access to information security-related clauses from Article 32), official letters from government agencies, etc.
- Documents and records from customers, suppliers, and partners: contracts, service agreements, product/service specification, operation manuals, etc.
This article will provide you a further explanation about the document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
Comment as guest or Sign in
Oct 01, 2019