Procedure for document and record control

1. Could be tell me what you guys exactly want from the Procedure for document and record control document? In detail please + I got a couple of questions too, my scope is the whole organization.

The purpose of the Procedure for document and record control is to establish a structured and unified approach for creating, updating, controlling, and protecting documents and records within a company. This ensures that the documented information is available for use, fit for purpose, and adequately protected against damage or loss of integrity and identity. The procedure defines the rules for creating and identifying documents, approving and publishing them, controlling access and distribution, withdrawing outdated documents, and managing updates and changes. It helps provide clarity to all employees on how to manage documents and records, ensuring compliance with ISO standards and facilitating effective information management within the organization.

2. "This procedure is applied to all documents and records related to the ISMS ", so in my case is it all company's documents ?

The organization can decide whether to apply the Procedure only to ISMS related documents, or to all documents in the company scope.

3. Document approval

I understood that the CEO must approve all documents and is there something else?

In a small ISMS scope, it is common practice for the CEO to approve all documents. This is because, in smaller companies, the CEO is usually the top-level management and has the authority to make decisions and approve important documents. However, it is important to note that the responsibility for approving documents can vary depending on the company's size and structure. In mid-size and larger companies, the responsibility for approving documents may be divided between senior management, security officers, and heads of departments. 

4. 3.3. Publishing and distributing documents; withdrawal from use

There are some parts conformio is mentioned there I dont thing this is a professional way for the word " confirmo " is written there, " the Conformio platform will automatically inform all employees listed as users of the document by email...."

First of all, sorry for the confusion.

Conformio is our platform to help organizations implement and operate an ISMS. In the text you mention, our platform will automatically inform users when a new document is published and retrieve old versions.

5. tell me more about record control and also document of external origin what do you want from me exactly, I could not figure it out.

Record control refers to the management of records within an organization. It involves defining how records are created, stored, accessed, retrieved, used, protected, and disposed of. The control of records ensures that they are available when needed, suitable for their intended use, and adequately protected. ISO 27001 requires organizations to have controls in place for the distribution, access, retrieval, and use of records, as well as for their storage, preservation, control of changes, and retention and disposition.

The control of documents of external origin refers to the management of documents that are not owned or controlled by the organization but are necessary for its operation. These external documents can include laws, regulations, standards, contracts, service agreements, product specifications, operation manuals, and more.

To control documents of external origin, the organization should define what are the relevant external documents for the Information Security Management System (ISMS) and who will be responsible for identifying and reviewing them. The frequency of verification should also be established.

One approach to controlling external documents is to have each head of a department responsible for the applicable external document. For example, the Head of the IT department can identify encryption standards for the website as a relevant external document and ensure it is controlled by the company.

It is important to note that external documents can be both physical and electronic. Physical documents can be received at the organization's office or a remote location if necessary. Electronic documents can include emails, digital files, and online resources.