Question about documents
Hi all,
1 - Are documents covered by the document control policy only security-related E.g. regulation, or is it any company document?
2 - Is there a clear definition of external documents? The concept seems nebulous. Maybe a sample policy we can look at with some examples of what other organizations do may help.
3 - For example, an email is an external document, so would someone be tasked to archive them somewhere in this policy?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1 - Are documents covered by the document control policy only security-related E.g. regulation, or is it any company document?
I’m assuming you are referring to the Procedure for Document and Record Control.
Considering that, you can choose which documents will be covered by this procedure(e.g., only security-related or any company document). You only need to ensure that documents related to the ISMS scope are managed according to clause 7.5 of the ISO 27001.
2 - Is there a clear definition of external documents? The concept seems nebulous. Maybe a sample policy we can look at with some examples of what other organizations do may help.
For ISO 27001, you can consider external documents any documents owned or controlled by other organizations that you need for your ISMS operation.
Regarding examples from other organizations, such information is protected by confidentiality agreements and cannot be presented, but general examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, emails, etc.).
3 - For example, an email is an external document, so would someone be tasked to archive them somewhere in this policy?
This is an acceptable solution, but a simpler one would be that someone simply tags emails that need to be controlled, so that they can be easily found if needed. Such a procedure for handling external documents can be defined in section 4 of the Procedure for Document and Record Control (Documents of external origin).
This material will also help you regarding control of documents:
- Free video tutorial that you received as part of your toolkit: How to Write ISO 27001/ISO 22301 Document Control Procedure
This article will provide you a further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
This material can also provide support:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Comment as guest or Sign in
Dec 11, 2020