ISO 27001 Expert question
Assign topic to the user
1 - Is «System Management & processes» the good classification way for documents when wanting to respect ISO 27001 ?
Answer: I’m assuming your questions is linked to this one: https://community.advisera.com/topic/documents-classification-plan-storage-for-process-documents-like-policies/
Considering that, first is important to note that “classification” in ISO 27001 context is related to how sensitive information is to loss of its security properties (e.g., confidentiality, integrity, and availability). From this question, and the previous one, “classification” to you seems to be related to how documentation is organized, so for the rest of this answer I’ll use the term “document organization scheme”, and similar, to answer your doubts.
Now, organizing documents according to which management system they belong is as good as any other organization approach, provided the organization scheme fulfills the standard's requirements for document management. Please not that additionally to this “document organization scheme”, when considering ISO 27001 you also may need to consider the information security classification. For example, documents from an ISO 9001 Quality Management System classified as “public” must not be stored in the same place with documents classified as “confidential”.
The key issue you need to observe is how users will perceive this. It will be useless if users do not feel easy to create, find, use, and update documents.
For further information, see:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
2 - If the answer to question number 1 is « yes » then how to deal with documents like policy that are used by multiple SM & processes. I’ve seen in Sharepoint tuto proposed by ISO 9001 experts that they we were using metadata for document indexing. Does that mean that policies should be attached to multiple SM & processes at metadata level ?
Answer: The use of metadata to index documents is a good approach to organize them, because regardless of where you store the documents, you can use metadata to filter then and show the users only the documents defining according to business requirements and information security criteria, and also it makes changes easier and more transparent to users.
3 - If answer to question number 2 is « Yes » then is there best practices in ISO 27001 about document organization apart classification. In the IS0 2001 Sharepoint tuto the experts were saying that there were no obligation regarding organization of documents and that they can be stored with or without hierarchy. But regarding access rights I suppose it can change things a lot. Is there something detailed about access rights to documentation in ISO 27001 ?
Answer: ISO 27001 does not prescribe how to organize documents. It only requires that documents and records be easy to find and access when required. In terms of access control, the main requirement is that access rights consider business and legal needs.
To see a tool which covers document management requirements in an ISO 27001 environment, I suggest you take a look at our solution Conformio (https://advisera.com/conformio/)
In conformio, documents are organized in folders such as:
- Main Folder (ISO 27001)
- Lists Reports Statements and Plans
- Policies and Procedures
--- Internal procedures
--- Top management
- Templates for manual editing
You can add and customize folders according to your needs.
For further information, including examples, see:
- What kind of Document Management System (DMS) do you need for handling ISO 27001 documents? https://advisera.com/conformio/blog/2020/08/11/what-kind-of-dms-you-need-for-handling-iso-27001-documents/
- How to handle user access management in an ISO 27001 project through Conformio https://advisera.com/conformio/blog/2021/05/05/how-to-handle-user-access-management-for-iso-27001-project-through-conformio/
- Enable confidentiality in handling ISO 27001 documentation https://advisera.com/conformio/blog/2020/08/13/enable-confidentiality-in-handling-iso-27001-documentation/
Comment as guest or Sign in
Feb 04, 2022