Can you record nonconformities and corrections in the same document that you are using to capture risks? Example is that we have a risk register spreadsheet which covers all requirements and would like to only have one document capturing all of this if it is allowed.
Assign topic to the user
ISO 27001 does not prescribe how to develop documents, so you can record nonconformities and corrections in the same document that you are using to capture risks, but we do not recommend such an approach.
The reason is that, if nonconformities and risks are in the same document, persons looking for one type of information would have unnecessary access to the other and this can compromise confidentiality.
Moreover, risks and nonconformities are very different types of information, and this is also why it makes sense to keep them separate.
This article will provide you a further explanation about records management:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding records management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Comment as guest or Sign in
Jul 09, 2020