Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Records or Documents

  Quote
Guest
Guest user Created:   Mar 11, 2021 Last commented:   Mar 11, 2021

Records or Documents

Hi. I'm trying to decide whether Risk Assessments and Risk Treatment Plans would be considered documents or records. In other words, should they be version controlled? Or should they have specific record retention periods?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 11, 2021

Please note that documents describe rules to be followed and/or actions to be performed, whereas records evidence actions performed and/or results achieved. Additionally, documents can be updated, while records cannot (at most they can be complemented, i.e., new information can be added, but the original information cannot be changed).

Considering that, Risk Assessments are records (they evidence that risk assessment was performed and the assessed risks), as well as Risk Treatment Plans (they evidence which actions were performed to treat risks and achieved results). Since records cannot be updated, it only makes sense to apply version control on them if they can be complemented (in this case the information for version control can be the date of the last included complement). However, they need to have ways to be uniquely identified.

As records, they indeed need to have specific retention time, based on business and legal requirements.

This article will provide you a further explanation about record management:

These materials will also help you regarding record management:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 11, 2021

Mar 11, 2021

Suggested Topics