Expert Advice Community

Records management question

  Quote
Created:   Sep 06, 2020 Last commented:   Sep 06, 2020

Records management question

A question on the Document classification protocol that we reference within the Procedure for Document and Record Control. Do we need to amend ALL HISTORICAL, CURRENT and ACTIVE documents. For ISO, will they audit all documents even if in an archive?

For example if we have 1000 documents in our shared drive (dropbox), do we need to retrospectively go back and add the document history, version control, owner information and other expected document details for each and every one?

Can you advise on document classification and file naming convention? recommendation?

e.g. if someone see’s something topical of learning interest to the team, let’s say they take a screenshot and copy it into a word doc or PowerPoint or something. What kind of document classification and record logging would you suggest we apply to something like this? How would you propose a team member saves the file for this? 200903_team_learning_internal_v0.1

What should we have in the file name? Date, document purpose, owner, version? (I know subject to the annex criteria as we may need to put document classification in there too – internal/confidential etc.) 

Should we have underscores underneath each one? 

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 06, 2020

1 - A question on the Document classification protocol that we reference within the Procedure for Document and Record Control. Do we need to amend ALL HISTORICAL, CURRENT, and ACTIVE documents? For ISO, will they audit all documents even if in an archive?

For example, if we have 1000 documents in our shared drive (dropbox), do we need to retrospectively go back and add the document history, version control, owner information and other expected document details for each and every one?

Answer: In this first answer I'm assuming that by the procedure you mentioned, and provided example, by Document classification protocol you mean document management and not information classification management (i.e., identification of classification levels)

In this case, it is important to note that ISO 27001 does not specify how to perform document and record control, only that this activity must be performed.

Considering that, the need for identification of details in documents should consider the moment the Procedure for Document and Record Control was approved and released for use, and any top management decision or legal requirements (e.g., laws, regulations or contracts) demanding this identification  to be performed. The auditors may look for all documents which fits in these criteria in an audit.

For example, if your procedure was approved and released for use six months ago, then any document created and updated from that date up to today must be identified as required by the procedure. Additionally, if top management, or applicable legal requirements, demands some specific documents to be documented up from another date before the release of the procedure (e.g., because obsolete documents and records must be kept from a period before the release of the procedure), these documents and records should be documented as required.

For further information, see:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

2 - The same previous question, now considering that your question refer to information classification management

In case your question is in fact about information classification, you must include the classification information following the same rules.

Considering that, the need for classification of documents should consider the moment the Procedure for Document and Record Control, containing your Data classification protocol, was approved and released for use, and any top management decision or legal requirements (e.g., laws, regulations or contracts) demanding this classification to be performed. The auditors may look for classification of all documents which fits in these criteria in an audit.

For example, if your procedure was approved and released for use six months ago, then any document created and updated from that date up to today must be classified identified as required by the procedure. Additionally, if top management, or applicable legal requirements, demands some specific documents to be classified up from another date before the release of the procedure (e.g., because obsolete documents and records must be kept from a period before the release of the procedure), these documents and records should be classified as defined by your protocol.

For further information, see:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

3 - Can you advise on document classification and file naming convention? recommendation?

e.g. if someone sees something topical of learning interest to the team, let’s say they take a screenshot and copy it into a word doc or PowerPoint or something. What kind of document classification and record logging would you suggest we apply to something like this? How would you propose a team member saves the file for this? 200903_team_learning_internal_v0.1

What should we have in the file name? Date, document purpose, owner, version? (I know subject to the annex criteria as we may need to put document classification in there too – internal/confidential etc.)

Should we have underscores underneath each one?

Answer: This is another situation where ISO 27001 does not prescribe what to do, so organizations are free to naming documents as best fit their needs.

Considering that, your proposed structure is acceptable for certification purposes.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 05, 2020

Sep 05, 2020

Suggested Topics

Guest user Created:   Aug 18, 2022 ISO 27001 & 22301
Replies: 1
0 0

ISMS and BCMS

Guest user Created:   Oct 15, 2019 ISO 27001 & 22301
Replies: 1
0 0

Filling template