ISO 27001 Toolkit for consultants questions

1 - Printed documents
The documents are stored in electronic format in most organisations, but nowhere on the document does the statement ‘uncontrolled when printed’ or similar appear in the header of footer 

We have always inserted this statement into all documents within our work as otherwise a printed document could be picked up and used without checking that it is the latest version.

We also note that a lot of certification bodies would pick up a non-conformance in these instances. Can I ask why this statement is not included on all electronic documents please?

Answer: An ‘uncontrolled when printed’ statement is not included in the templates because the Procedure for Document and Record Control, section 3.3 - Publishing and distributing documents; withdrawal from use, does not make a distinction between handling electronic and printed versions of documents, i.e., the documents in all formats need to be controlled.

This is so because the purpose of ISO 27001 is to protect the information, and printed documents, in current or obsolete versions, may still contain classified information that needs to be protected, so they need to be controlled until the information becomes unclassified.

On top of this, ISO 27001 clause 7.5.3 requires all ISMS documents to be controlled.

2 - Improvement / non-conformance log
I cannot find a register for non-conformance or what I would call an improvement log / register. The toolkit has a corrective action procedure and a corrective action form template only.

We would always include an improvement log where all non-conformalities and improvement suggestions (complaints, Issues, Improvement ideas and changes to documented information, processes or context) are recorded according to their source. In other words a spreadsheet register that matches the con-conformance form fields but allows one to view all non-conformities / issues in one place without having to sift through a pile of forms to find out which ones are overdue or still open.

Answer: Please note that nonconformities and opportunities for improvement are recorded in the Internal Audit Report template, located in the folder Internal Audit.

The approach you are suggesting is a good idea for a better management of improvements, but we found that our customers prefer to have the least amount of documents - since such Register of nonconformities is not a mandatory document, we decided not to create this extra document. Of course, if a customer wants to create such an additional register, we support them in such an effort.

3 - Document control
I don’t understand the document control procedure as it does not state how a change request is raised for consideration (document change request for instance)

Again, we would not call this a non-conformity, but it would be raised in the improvement log prior to any change of document being authorized. What is this ‘Track changes’ referring to please?

The procedure states:
All changes to the document must be made using "Track changes," making visible only the revisions to the previous version, and must be briefly described in the "Change History" table; if Track changes option is unavailable, or if the changes are too numerous, then the Track changes option is not used.
Each document should preferably have a "Change History" table used to record every change made

Answer: ISO 27001 does not prescribe how to start the process of changing a document, only that changes need to be reviewed and approved. 

Again, we are aiming at having the least amount of documents because this is what customers prefer.

You can summarize the need for change in the section ‘Change history’ included in each template.

About the ‘track change’, it is a feature of text processor software, like MS Word, which allows the identification of excluded and included texts in a document. 

4 - The toolkit does not contain a document register?

This is going to make it difficult to show the version of all latest documents – most cert bodies in my experience are looking for a master document register. 

Hope that makes sense and apologies if I am missing something

Answer: ISO 27001 does not require a master document register to be maintained (this would only add another document to be maintained). As an alternative, we suggest that customers keep the documents in the same folder structure as of the toolkit, only including a sub-folder “obsolete” in each folder, so each folder will have the current version of each document, and the sub-folder will store the obsolete versions.

Showing the document version can be resolved very easily by adding the version number to the file name - e.g., 'Information Security Policy EN ver 1_2.docx'.