Expert Advice Community

Guest

Documents subject to review

  Quote
Guest
Guest user Created:   Sep 07, 2020 Last commented:   Sep 07, 2020

Documents subject to review

In terms of records management, and in our procedure for document and record control, we say that all content/all documents need to be current. Therefore, does this apply to all historical, current and future documents in our shared drive or just those in the future created at the point we say GO LIVE with our new ISMS? 

Does the review of content need to be set for each and every document we have as a business? For example, if we have 1000+ documents, as part of this project should I be going through each one – and setting a review date for its content? 

How would say a Compliance officer would undertake this as part of the day job? Would I have a spreadsheet that lists each and every document and a review date for each? That feels way too manual?

Do I have a list of each document in Conformio that tells me when to review or organise the review of each document? I am trying to understand, as the company grows and we have more and more documents how does one keep control of what needs to be reviewed when? This needs to be automated? What do you advise? What do other companies use to support the ongoing compliance of records? Do we need any further software to give us a fighting chance?!

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 07, 2020

1 - In terms of records management, and in our procedure for document and record control, we say that all content/all documents need to be current. Therefore, does this apply to all historical, current and future documents in our shared drive or just those in the future created at the point we say GO LIVE with our new ISMS?

Answer: Please note that historical documents must not be changed, because they need to reflect the situation when they were current.

Considering that, the need to keep documents current applies for existing documents from the moment the Procedure for Document and Record Control was approved and released for use.

By the way, included in your toolkit, you have access to a video tutorial that can guide you on how to manage and review documents and records for your ISMS.

For further information, see:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

2 - Does the review of content need to be set for each and every document we have as a business? For example, if we have 1000+ documents, as part of this project should I be going through each one – and setting a review date for its content?

Answer: ISO 27001 does not prescribe how to define the review period, so you can define this the way that best fits your needs. Additionally, the review also must occur when a significant event occurs (e.g., change in a process, new legal requirement, etc.)

Considering that, only ISMS-relevant documents should be reviewed, and the most common approaches for defining temporal review are defining a review date for each document, define a review rule for all documents (e.g., each document must be reviewed after 12 months of its publication), or define a period for documentation review (e.g., documents must be reviewed at the month of September of each year).

3 - How would say a Compliance officer would undertake this as part of the day job? Would I have a spreadsheet that lists each and every document and a review date for each? That feels way too manual?

Answer: For a small number of documents the use of a spreadsheet may be a solution, or any kind of task management tool to remind you of the review deadlines, but for a great number of documents you should consider an automated solution.

 For further information, see:
- When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/27001academy/blog/2014/10/20/when-to-use-tools-for-iso-27001-iso-22301-and-when-to-avoid-them/

4 - Do I have a list of each document in Conformio that tells me when to review or organize the review of each document? I am trying to understand, as the company grows and we have more and more documents how does one keep control of what needs to be reviewed when? Does this need to be automated? What do you advise? What do other companies use to support the ongoing compliance of records? Do we need any further software to give us a fighting chance?!

Answer: A main list identifying when to review each document is not available in the toolkit, but you can create such a list using the blank template included in your toolkit.

Regarding how to organize the review, the best approach is to define the review period for each document based on its importance and complexity, and to define who are the most relevant people who can pinpoint on what needs to be changed.

Like the previous answer, when the number of documents grows, the use of automated solutions is highly recommended but is it our policy to not make recommendations about specific solutions.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 07, 2020

Sep 07, 2020

Suggested Topics

Guest user Created:   Sep 18, 2020 ISO 27001 & 22301
Replies: 1
0 1

Documents and records

User guest Created:   Jul 14, 2020 ISO 27001 & 22301
Replies: 2
0 0

ISO 27001 queries

Guest user Created:   Nov 14, 2020 ISO 27001 & 22301
Replies: 1
0 0

Coaching