Incident Management Procedure
In the Incident Management Procedure there is a section called “Managing records kept based on this document”. Unfortunately I could not find a good definition for it t determine how to handle it. It would be great if you could help me more resources about this part of policy
Assign topic to the user
Records are specific types of documents used to evidence that activities were performed and/or results were achieved, and to be compliant with ISO 27001 standards you need to keep some records about incident handling, such as the incident log, for a period of time-related to some need defined by the organization, or by a legal requirement that must be fulfilled (e.g., a law, regulation or contract). Once the retention period is over you can dispose of the record, simply by deleting them, or through specific procedures to prevent them to be accessed once disposed of.
Additionally, once a record is created, it cannot be amended, so access to such records need to be controlled.
This article will provide you a further explanation about managing records:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding records management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 05, 2021