I have a question for you with regards to Document Control for ISO 27001. In the Checklist of Mandatory Documentation Required by ISO 27001:2013 it lists Procedure for Document Control as a Commonly Used Non-Mandatory Document however when I read the Document Management in ISO 27001 Blog dated March 20, 2010 it states that you won’t get certified if you do not have a Procedure for Managing Documents. These 2 information sources appear to be in conflict to me. Could you provide me with some details please?
Answer: The text in the Document Management from ISO 27001 Blog refers to the ISO 27001:2005 standard, in which the Procedure for Managing Documents is in fact mandatory. This standard was superseded by ISO 27001:2013, which is now the current standard, and in this version the Procedure for Managing Documents is not mandatory.
2 - Also, could you share with me how you came up with the Checklist of Mandatory Documentation? I can’t seem to find the source of the information in the ISO 27001:2013 Standard. Not sure if it is there or in another ISO document.
Answer: To identify the mandatory documentation in the standard you have to find the requirements that demand "documented information" to be available, to be kept, to be retained, or any other similar verb or expression. For example:
- The scope shall be available as documented information.
- The organization shall retain documented information about the information security risk assessment process.