Procedure for Document and Record Control
This question is regarding document scope, especially as it pertains to section 3.2 Document Approval.
In our very small organization, all ISMS specific documents would be reviewed and approved by two individuals. That I understand, no problem. But for client work/project related documents that are created such as project plans, creative files, copy decks, etc., often times there is no review and approval process needed. Documents are created by the employee and sent to the client.
How would that be described in section 3.2? Do I describe an "exemption" for review and approval of client project work files?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
If documents created by an employee and sent directly to the client without the approval of another person of the organization is an acceptable risk to your organization, then you can include an "exception" in this section like:
"Except for client project work documents, all other documents regardless of whether they are new documents or new versions of existing documents must be approved by [job title ]. Client project work documents are considered approved by the employee who has created/reviewed it."
Please note that as a good practice for projects, the project manager should review/approve the documents, since they will be sent to the client.
Comment as guest or Sign in
Mar 13, 2020