Question regarding the procedure for document and record control
Assign topic to the user
I'll have to answer in 3 parts:
1) There are a couple of mandatory documents and records which must be controlled within your ISMS - you can see this list of documents in this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
2) The documents from your customer projects do not have to be controlled as ISMS documents - you can define your own rules, which can be different from ISMS document control rules.
3) Classification and labeling is not a mandatory control (although in practice it is highly recommendable), you have to perform it only if you have contractual or regulatory requirements and/or if you have unacceptable risks. You can perform classification and labeling to both the documents that must be controlled, and to documents that are not controlled within your ISMS - the scope of classification and labeling is something you have to define on your own. This article can also help you: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Comment as guest or Sign in
Jan 12, 2016