Some question about certification ISO 27001
we’ve got some questions about the documents required for ISO 27001:
On which documents do we have to write the information like “User, Version, Change History etc.”. In the document “00_Verfahren_zur_Lenkung_von_Dokumenten” is written that this proceedure encompasses all documents and records, stored in any possible form – paper, audio, video – if the documents are related to the ISMS. But which documents does it concern exaxtly?
Similar question: Which documents have to include the masterlist and which the incoming mail book?
And then we need to know, which information could be confidential? The entire certification prozess of the ISMS is’nt confidential but completely public for us.
We hope you can help and look forward to hearing from you.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. On which documents do we have to write the information like “User, Version, Change History etc.”. In the document “00_Verfahren_zur_Lenkung_von_Dokumenten” is written that this procedure encompasses all documents and records, stored in any possible form – paper, audio, video – if the documents are related to the ISMS. But which documents does it concern exactly?
The easiest way to figure out what documents you need to apply control document information is to check which documents you mention in the policies and procedures included in your toolkit.
For example, in the Secure Development Policy, section 3.3 Secure engineering principles it is mentioned that procedures for secure information system engineering will be issued, so these procedures must contain document control information.
Please note that user/version / change history is applicable only for documents.
For further information, see:
- How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/
2. Similar question: Which documents have to include the master list and which the incoming mail book?
First is important to note that ISO 27001 does not require a master list to be created.
Considering that, in a master list you include information about all documents related to the ISMS scope (e.g., policies, procedures, reports, etc.), while in the incoming mail book you include information about documents from the external origin, like customer and supplier documents, standards, laws, etc.
3. And then we need to know, which information could be confidential? The entire certification process of the ISMS isn’t confidential but completely public for us.
First is important to know that you only need to classify information in case you have risks, or legal requirements, demanding the implementation of control 5.12 Classification of information.
Considering that, based on relevant risks and applicable legal requirements you can define necessary classification levels (and you can even have a single classification level) and criteria to apply then.
Considering your statement, in case all information in your ISMS is accessible to your employees, but not to external parties, examples of classification levels to be used would be “internal” and “public”.
For further information, see:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Comment as guest or Sign in
Dec 09, 2022