Maintaining Documented Information for the ISMS

00:01

Listen 5.5, maintaining documented information for the SMS.

00:09

In this lesson, we will cover understanding the standard requirements on maintaining documented information

00:15

as well as document control considerations.

00:22

Now we've spoken about documented information quite a bit in previous sections.

00:26

There, we focused on what the required documentation, if there was any, was for each pause.

00:33

This section,

00:34

which is related to close 7.5,

00:38

focuses on managing all of the required documentation within the ice mess as a whole.

00:44

One thing to remember, just because it says documented, doesn't automatically mean this is a physical document.

00:51

All documents can be maintained digitally,

00:55

as we have spoken quite a bit about what type of documentation is required. The section will focus on the requirement that the I so 27,001 standard has for creating and maintaining documented information

01:08

to better organize and maintain the documentation for your SMS.

01:12

It is often useful to create a structure document library,

01:17

for example, a dedicated folder for ice miss documents appropriately protected. Of course,

01:23

a folder structure can help you sort and make sense of different types of documents

01:26

rather than one big document. Dump

01:30

the document register that lists all of the documents pertaining to the ice miss.

01:36

And this can contain history about the various document approvals, updates and so forth.

01:41

This is a quick way to show in order to the volume of documents your organization has

01:46

and that you're keeping definitive records about the documents.

01:51

If your system has some sort of document management system in place or content management system,

01:56

this would also be a great tool to use to manage all of your supporting documentation.

02:01

So some considerations to take note of

02:06

have templates for your documented information,

02:08

especially if its policies or procedures

02:10

having one template that could be reused over and over

02:15

inches, that your documents all conformed to the same standard

02:17

and that they all have the required basics.

02:23

Determine and document what your document revision and approval processes.

02:28

How often will your documents be reviewed

02:30

and how often will who needs to approve these documents?

02:36

Keep it a section in the document itself

02:38

in each document

02:40

that contains the document review and approval history,

02:45

as well as any changes that have been made in the document during the subsequent reviews,

02:52

have a document register that links the document to the actual

02:57

documents.

02:58

For example,

03:00

register that lists documents one through 50 for example, with their names

03:05

and contains some sort of hyperlink or other quick access mechanism

03:08

to bring up the associate ID documents.

03:17

Your documents should all include some standard attributes.

03:22

These are important to show that the documents are following and defined process of being drafted, reviewed and approved prior to being made available to the relevant stakeholders.

03:31

Date on the document are very important as this shows that the document was last reviewed or updated

03:38

and therefore when it would be do again for review or update based on the defying frequency

03:44

revision. History should include the changes that were made to the document

03:47

and whether these were substantial in nature in terms of content changes

03:53

or merely cosmetic for formatting related changes.

03:57

The classification of the information is also very important.

04:00

There should be done in line with your organization's data classifications, policies and procedures.

04:05

Not all documents supporting the item is will have the same level of confidentiality.

04:13

The information security policy would need to be shared with all personal in the organization,

04:17

but not necessarily toe all external stakeholders.

04:21

Certain reports and metrics of information, security controls and objectives might only be shared with personal within the relevant need to know,

04:30

and these would not necessarily be made available for all in the organization to see.

04:38

Some standard document attributes include

04:40

the document, also

04:42

the documentary viewer.

04:44

The document approve ER,

04:46

the date

04:47

off which the document was initially drafted

04:50

when it was revised

04:51

when approvals happened, and so forth

04:56

details around the revision, history and changes made to the documentation

05:00

as well as the document classifications level.

05:06

Here are a few further considerations. To take note of that would help to ensure compliance to the standard

05:12

and also to ensure that your documentation is properly managed

05:15

when there are many personal involved in various aspects of the ice AMIS

05:19

and a wide interested parties list.

05:23

Having appropriate control of the information becomes important not only for compliance,

05:27

but to ensure that the documentation is easily accessible to those authorized to interact with it

05:32

and to ensure that the information is supporting the necessary functions.

05:38

Ensure that your information and documents is protected in line with its classifications.

05:44

In other words, restrict access to documents with higher

05:46

gasification levels,

05:49

a change control process should be followed so that only authorized personal can change, approved and redistribute documents.

05:59

The interested parties for each documented piece of information

06:02

should be identified and known to ensure distribution only happens to authorized parties.

06:10

Establish an appropriate retention period for your documented information

06:18

to summarize

06:20

during this lesson we covered.

06:23

Besides the standard of requiring

06:25

besides the standard requiring a lot of documented information,

06:29

this lesson covered how the standard requires this document to be maintained.

06:33

We covered document attributes that should be included on the documents.