Expert Advice Community

Guest

Question about documents

  Quote
Guest
Guest user Created:   Dec 11, 2020 Last commented:   Dec 11, 2020

Question about documents

Hi all,

1 - Are documents covered by the document control policy only security-related E.g. regulation, or is it any company document?

2 - Is there a clear definition of external documents? The concept seems nebulous. Maybe a sample policy we can look at with some examples of what other organizations do may help.

3 - For example, an email is an external document, so would someone be tasked to archive them somewhere in this policy?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 11, 2020

1 - Are documents covered by the document control policy only security-related E.g. regulation, or is it any company document?

I’m assuming you are referring to the Procedure for Document and Record Control.

Considering that, you can choose which documents will be covered by this procedure(e.g., only security-related or any company document). You only need to ensure that documents related to the ISMS scope are managed according to clause 7.5 of the ISO 27001.

2 - Is there a clear definition of external documents? The concept seems nebulous. Maybe a sample policy we can look at with some examples of what other organizations do may help.

For ISO 27001, you can consider external documents any documents owned or controlled by other organizations that you need for your ISMS operation.

Regarding examples from other organizations, such information is protected by confidentiality agreements and cannot be presented, but general examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, emails, etc.).

3 - For example, an email is an external document, so would someone be tasked to archive them somewhere in this policy?

This is an acceptable solution, but a simpler one would be that someone simply tags emails that need to be controlled, so that they can be easily found if needed. Such a procedure for handling external documents can be defined in section 4 of the Procedure for Document and Record Control (Documents of external origin).

This material will also help you regarding control of documents:

  • Free video tutorial that you received as part of your toolkit: How to Write ISO 27001/ISO 22301 Document Control Procedure

This article will provide you a further explanation about document management:

This material can also provide support:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 11, 2020

Dec 11, 2020

Suggested Topics

Guest user Created:   Oct 14, 2020 ISO 27001 & 22301
Replies: 1
0 0

Question about documents

Guest user Created:   Apr 28, 2020 ISO 27001 & 22301
Replies: 1
0 0

Question about documents

Guest user Created:   Sep 05, 2019 ISO 27001 & 22301
Replies: 1
0 0

Questions about documents