Expert Advice Community

Guest

Procedure for document and record keeping

  Quote
Guest
Guest user Created:   Dec 13, 2016 Last commented:   Jan 28, 2017

Procedure for document and record keeping

Considering the procedure for documents and record keeping:
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 13, 2016

1. Which type of document you are referring to?

Answer: The procedure for documents and record keeping consider as document any media (e.g., paper and electronic format) that contains information the organization considers relevant for the operation and maintenance of its management system. Examples of documents are policies, procedures, work instructions, manuals, etc.

2. As every department or even every employee has ownership of some documents, do we need to include all documents?

Answer: You should include in your management system only the documents defined as mandatory by the standard (e.g., security policy, audit plan, etc.) and those considered relevant by the organization or demanded by legal requirements (e.g., laws and contracts). For those last two, the main sources to help identify them are the scope of the management system and the results of the risk assessment.

3. Who will have the ultimate responsibility of the entire document?

Answer: I assume you are r eferring to the responsibility for the procedure for documents and record keeping. In this case, the most suitable role to be responsible for this procedure is the job title ultimately responsible for the management system (e.g., the management representative or the security manager). Considering the other documents, the most suitable role to be responsible for them are the processes and risk owners.

4. How can you define incoming mail register?

Answer: The way to define the incoming mail register must consider the context of the organization regarding how it handles external information that needs to be included in its processes. It can vary from a simple notebook to complex workflow systems. In terms of the standard you only have to ensure some information is available, like who is the sender, who received it, the recipient, the document identification, document's validity, etc.

These articles will provide you further explanation about documents control:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

These materials will also help you regarding documents control:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0
Guest
waqar123 Jan 28, 2017
What I understand is that if an IS policy updated, then the old policy shall be stored in a secure location as a record and only authorized users have access to it. Controls should be implemented as per the classification of the document. In case if there is some requirement of retrieving the old version of IS policy, for instance, an external auditor wants access to the old policy, then the access shall be provided after necessary approval.
Quote
0 0
Guest
waqar123 Jan 29, 2017
For clarification of "Documents of external origin", can you give some example. If somebody sends a parcel to a friend who is working in an organization, how can it be applicable? who will define the classification of such things? In addition to this, is this the duplication of work that the person sitting at the reception is first registering the parcel and then the one who is the recipient of the parcel.
Quote
0 0
Expert
Rhand Leal Jan 31, 2017
>1 - What I understand is that if an IS policy updated, then the old policy shall be stored in a secure location as a record and only authorized users have access to it. Controls should be implemented as per the classification of the document. In case if there is some requirement of retrieving the old version of IS policy, for instance, an external auditor wants access to the old policy, then the access shall be provided after necessary approval.

Answer: Your understanding of the consequences of the IS policy update is correct.

>2 - For clarification of “Documents of external origin”, can you give some example. If somebody sends a parcel to a friend who is working in an organization, how can it be applicable? who will define the classification of such things? In addition to this, is this the duplication of work that the person sitting at the reception is first registering the parcel and then the one who is the recipient of the parcel.

Answer: You can understand documents of external origin as all documentation outside sole organization control that is relevant to the ISMS, for example a law, industry standard or contract with customer/supplier.

Considering your example, the first thing to be observed is if this parcel is intended to the organization or to the person himself.

If the parcel is intended to the person himself it should be considered private mailing and you should consult your internal policies regarding the receipt of personal mailing in the organization to know how to proceed (yes, if this situation occurs in your organization you should consider how to handle this in at least one of your policies).

If the parcel is intended to the organization, the person to whom it its addressed should apply the information classification according the parcel content.

Regarding the parcel register process, the role of the person at the reception is only to input the parcel information in the incoming mail register and forward the parcel to the intended recipient, the one who has the responsibility to formally acknowledge the parcel receipt in name of the organization. So, there is no duplication or work, since the person at the reception fills one part of the incoming mail register (the parcel information), and the recipient fills another (the receipt acknowledge).
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 13, 2016

Jan 31, 2017