Information labeling; destruction of records

- Answer: You should define this transition process (whether you need to do it right away, or gradually) in your Classification Policy; however you should label all the documents before your certification audit. Another note here: you don't need to set the rule to label all the documents - normally, public documents are not labeled. 

Also with the destruction of records do we need to keep a record of every paper document we shred???

- Answer: No, there is no such requirement in ISO 27001 - good practice is that you should keep records of destruction only for more sensitive documents (those that are classified as highly confidential).

3.4.2    Relations with external parties

External parties include various service providers, companies for hardware and software maintenance, companies handling transactions or data processing, clients, etc.

Before exchanging information deemed to be RESTRICTED or CONFIDENTIAL and/or software with any external party, an agreement must be signed, which is the responsibility of Legal Counsel. The agreement may be in paper or electronic form (e.g. agreeing to general terms and conditions) and must contain clauses in line with the risk assessment, and must take into consideration:

QUESTION: we frequently send out information marked as Confidential, such as quotes which contain our pricing, to potential clients who we hope to work with.  We are under no agreement when doing so and it is not productive to get this in order to send such information. Again, when exactly does something marked as confidential need to be under agreement? I don’t want a solution to be simply to not mark something as confidential in order for it to be sent out??

Sean Facer said
 
QUESTION: we frequently send out information marked as Confidential, such as quotes which contain our pricing, to potential clients who we hope to work with.  We are under no agreement when doing so and it is not productive to get this in order to send such information. Again, when exactly does something marked as confidential need to be under agreement? I don’t want a solution to be simply to not mark something as confidential in order for it to be sent out??

The problem here is the following: if you mark some document as confidential, why would the receiving party (e.g. potential client you've sent the quote to) treat such information as confidential? They will be forced to treat this information as confidential only there is (a) a law which protects you in such cases, or (b) a contract/NDA which obliges your client to keep this information confidential. 

In many countries the law does not protect you, and I agree in many cases it is not feasible to sign an NDA with potential client just because you're sending them the quote. But in such cases you must be aware that just by writing "Confidential" on top of your documents you won't be protected. 

To conclude, you can write in your procedure that signing the NDA with the receiving party is not mandatory, but your management needs to be aware of the risk. As a rule of the thumb, any time you give away some really sensitive information you really should sign an NDA.

Thanks Dejan! Love the new forum really helpful!

You're welcome :)