What to do with legacy documents & materials

1 - I am looking at our options in regards to planning a roll out of an information classification and retention policies and tools to withing our organization to help users identify, classify, and protect sensitive data and assets for ISO 27001.

Currently we have been filing all our information haphazardly in Dropbox. No standards. No management of the Dropbox folders ... so it's a mess. With 27001 we plan to setup a new structure in Dropbox and migrate/convert the Company documents/assets into the ring-fenced folders, and then freeze the existing Dropbox folders, with a long term objective of sun-setting the content.

Is there a tried and tested method for this task. We have limited resources so it will take time to do.

To build a structure that is sound for your business you can consider at least these approaches:

• organize documents by organizational units (i.e., which areas need access to which documents)
• organize documents by processes (i.e., which documents need to be accessed to cover related steps to deliver a defined result – e.g., documents related to payroll)
• organize documents by roles (i.e., which people needs access to which documents)

Considering that, you should follow these steps:  

1. list all documents that need to be accessed
2. identify the documents according to defined criteria
3. create specific folders to group documents that have similar criteria

The toolkits you’ve bought are an example of the organization by process (from document management to corrective actions). You can use them to organize your documents, or as a template to build your own structure.

2 - My other question is, will the auditors want to look at the legacy materials. Our aim is to put an ISO stake in the ground and have all relevant / supporting PowerX docs filed in the new folder structure. For ISO 27001 we will use Dropbox as the DMS, but will most likely migrate to alternative Apps/Software, such as Conformio in 2023.

Auditors will be looking for legacy materials only if they are previous versions of documents being used by the time of the audit, to check if document management criteria related to change control are being fulfilled (e.g., document review, change control, etc.).

For example, if your current Access control policy is an update of a legacy Access control policy, the auditor may want to see this document. On the other hand, if the legacy documents include a Backup policy related to a technology that was discontinued by the time the implementation of the ISMS started, there is no need to access this document.