Hi Advisera,
a lot of records (e.g. Risk Treatment table, or SoA) that should be created and managed should be according to templates in pdf format. I understand that. But there is a version history in Office365, so that we can check whether they were some unauthorized changes. Is that enough, I mean storing the records in Excel or Word form, not pdf, but with a version history turned on?
Assign topic to the user
Although ISO 27001 requires the storage of specific documents and records (clause 7.5.3 d), and that changes on them are controlled (clause 7.5.3 e), it does not prescribe how to store them or control changes on them, so organizations are free to define the methods that best suit their needs.
Considering that, storing documents in Excel or Word form is acceptable by the standard. However, the version history feature in Office365 may not be sufficient, because it can help detect an unauthorized change, but cannot prevent it. One way to make your solution more robust, you can limit the users that can edit a document to a small group of users.
These articles will provide you a further explanation about documentation management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding documentation management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 20, 2021