Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Question regarding the procedure for document and record control

Currently, we are faced with a question regarding the procedure for document and record control: within our certified quality management, we already have such a procedure in place. However, this procedure only applies to documents and records of the management systems, as well as for templates, guidelines and other policies that are binding for employees. In contrast, documents and records that are, for instance, created within customer projects are only implicitly part of the document control, i.e., employees should use the templates that are part of the document control (if applicable). In fact, the templates contain a mandatory field for the confidentiality class and we also will have a policy for classification and labelling of information. Nevertheless, probably a lot of information exists that is not or rather cannot be documented by the use of the controlled templates. Now, we are wondering whether or not the current scope of documents and records to be controlled is also sufficient in terms of the ISO 27001 requirements, in parti cular, in light of the plan to have a policy for classification and labelling?

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

I'll have to answer in 3 parts:
1) There are a couple of mandatory documents and records which must be controlled within your ISMS - you can see this list of documents in this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
2) The documents from your customer projects do not have to be controlled as ISMS documents - you can define your own rules, which can be different from ISMS document control rules.
3) Classification and labeling is not a mandatory control (although in practice it is highly recommendable), you have to perform it only if you have contractual or regulatory requirements and/or if you have unacceptable risks. You can perform classification and labeling to both the documents that must be controlled, and to documents that are not controlled within your ISMS - the scope of classification and labeling is something you have to define on your own. This article can also help you: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community