Procedure for document and record control

1. Who is responsible for document approval: it may be only [job title] (for example CEO or deputy CEO) or can be group or committee?

ISO 27001 allows you to have one person or a group of persons, but my recommendation is that you have one person only - it is more efficient.

2. Is it necessarily to write header and footer as in clause 3.1 (is it ISO27001 requirements?) or we can adapt to the organization's standard practice? Which of this fields: organization name, confidentiality level, document name, current version, date of document is required by ISO27001?

No, headers and footers are not required by ISO 27001 - you should adapt it to your company practice. You should include document name, current version and date of the document somewhere in the document; you should include confidentiality level only if you define control A.8.2.2 as applicable in your Statement of Applicability.

3. Our local language is ***. We must c reate documents in English and then translate to our local language. Shall we approve both of them? What are ISO27001 requirements about it?

ISO 27001 requires only that the documentation is suitable for use, which means it needs to be understandable by all workforce that will be using the documents. Therefore, you can have documents in your local language only, in English only, or both. In your Procedure for document and record control you should define which language is the main one, and then documents in this language must be approved by responsible person; the documents in other language will be translated but they do not need to be approved.

4. In our organization we store both: scan of approved paper version and approved paper version. What are requirements of ISO27001?

ISO 27001 doesn't specify how the documents need to be approved nor how they are stored. The most practical way is for responsible person to approve the documents digitally (i.e. through some document management system), so that way there is no need for paper documents nor for scanning.

5. Who can be responsible person for "Person responsible for storage" and "controls for record protection" in clause 5 (managing records)?

This depends on record type - e.g. for backup logs, the person responsible for storage will be IT administrator, and controls for record protection will by the system access controls to those logs; for incoming mail register, the person responsible can be the secretary who receives all the incoming mail, and controls for record protection could be the access control to her computer.