Guest user Created: Feb 04, 2022 Last commented: Feb 04, 2022

ISO 27001 Expert question

The company is not planning to get certified but IS is supposed to be compliant with the European NIS directive. Experts of that directive are all recommanding ISO 27001/22301 standard. So I’m trying to respect ISO standards best practices in all my projects now. I’m a little bit lost with document management for the moment. For the moment I’m just wishing to know : Is « System Management & processes » the good classification way for documents when wanting to respect ISO 27001 ? If the answer to question number 1 is « yes » then how to deal with documents like policy that are used by multiple SM & processes. I’ve seen in Sharepoint tuto proposed by ISO 9001 experts that they we were using metadata for document indexing. Does that mean that policies should be attached to multiple SM & processes at metadata level ? If answer to question number 2 is « Yes » then is there best practices in ISO 27001 about document organization apart classification. In the IS0 2001 Sharepoint tuto the experts were saying that there were no obligation regarding organization of documents and that they can be stored with or without hierarchy. But regarding access rights I suppose it can change things a lot. Is there something detailed about access rights to documentation in ISO 27001 ?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Feb 04, 2022

1 - Is «System Management & processes» the good classification way for documents when wanting to respect ISO 27001 ?

Answer: I’m assuming your questions is linked to this one: https://community.advisera.com/topic/documents-classification-plan-storage-for-process-documents-like-policies/

Considering that, first is important to note that “classification” in ISO 27001 context is related to how sensitive information is to loss of its security properties (e.g., confidentiality, integrity, and availability). From this question, and the previous one, “classification” to you seems to be related to how documentation is organized, so for the rest of this answer I’ll use the term “document organization scheme”, and similar, to answer your doubts.

Now, organizing documents according to which management system they belong is as good as any other organization approach, provided the organization scheme fulfills the standard's requirements for document management. Please not that additionally to this “document organization scheme”, when considering ISO 27001 you also may need to consider the information security classification. For example, documents from an ISO 9001 Quality Management System classified as “public” must not be stored in the same place with documents classified as “confidential”.

The key issue you need to observe is how users will perceive this. It will be useless if users do not feel easy to create, find, use, and update documents.

For further information, see:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

2 - If the answer to question number 1 is « yes » then how to deal with documents like policy that are used by multiple SM & processes. I’ve seen in Sharepoint tuto proposed by ISO 9001 experts that they we were using metadata for document indexing. Does that mean that policies should be attached to multiple SM & processes at metadata level ?

Answer: The use of metadata to index documents is a good approach to organize them, because regardless of where you store the documents, you can use metadata to filter then and show the users only the documents defining according to business requirements and information security criteria, and also it makes changes easier and more transparent to users.

3 - If answer to question number 2 is « Yes » then is there best practices in ISO 27001 about document organization apart classification. In the IS0 2001 Sharepoint tuto the experts were saying that there were no obligation regarding organization of documents and that they can be stored with or without hierarchy. But regarding access rights I suppose it can change things a lot. Is there something detailed about access rights to documentation in ISO 27001 ?

Answer: ISO 27001 does not prescribe how to organize documents. It only requires that documents and records be easy to find and access when required. In terms of access control, the main requirement is that access rights consider business and legal needs.

To see a tool which covers document management requirements in an ISO 27001 environment, I suggest you take a look at our solution Conformio (https://advisera.com/conformio/)

In conformio, documents are organized in folders such as:
- Main Folder (ISO 27001)
- Lists Reports Statements and Plans
- Policies and Procedures
--- Internal procedures
--- Top management
- Templates for manual editing

You can add and customize folders according to your needs.

For further information, including examples, see:
- What kind of Document Management System (DMS) do you need for handling ISO 27001 documents? https://advisera.com/conformio/blog/2020/08/11/what-kind-of-dms-you-need-for-handling-iso-27001-documents/
- How to handle user access management in an ISO 27001 project through Conformio https://advisera.com/conformio/blog/2021/05/05/how-to-handle-user-access-management-for-iso-27001-project-through-conformio/
- Enable confidentiality in handling ISO 27001 documentation https://advisera.com/conformio/blog/2020/08/13/enable-confidentiality-in-handling-iso-27001-documentation/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Feb 04, 2022

Expert Advice Community