Records or Documents

Please note that documents describe rules to be followed and/or actions to be performed, whereas records evidence actions performed and/or results achieved. Additionally, documents can be updated, while records cannot (at most they can be complemented, i.e., new information can be added, but the original information cannot be changed).

Considering that, Risk Assessments are records (they evidence that risk assessment was performed and the assessed risks), as well as Risk Treatment Plans (they evidence which actions were performed to treat risks and achieved results). Since records cannot be updated, it only makes sense to apply version control on them if they can be complemented (in this case the information for version control can be the date of the last included complement). However, they need to have ways to be uniquely identified.

As records, they indeed need to have specific retention time, based on business and legal requirements.

This article will provide you a further explanation about record management:

• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

These materials will also help you regarding record management:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/