Maintaining Documented Information for the ISMS
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
7 hours 52 minutes
Listen 5.5, maintaining documented information for the SMS.
In this lesson, we will cover understanding the standard requirements on maintaining documented information
as well as document control considerations.
Now we've spoken about documented information quite a bit in previous sections.
There, we focused on what the required documentation, if there was any, was for each pause.
which is related to close 7.5,
focuses on managing all of the required documentation within the ice mess as a whole.
One thing to remember, just because it says documented, doesn't automatically mean this is a physical document.
All documents can be maintained digitally,
as we have spoken quite a bit about what type of documentation is required. The section will focus on the requirement that the I so 27,001 standard has for creating and maintaining documented information
to better organize and maintain the documentation for your SMS.
It is often useful to create a structure document library,
for example, a dedicated folder for ice miss documents appropriately protected. Of course,
a folder structure can help you sort and make sense of different types of documents
rather than one big document. Dump
the document register that lists all of the documents pertaining to the ice miss.
And this can contain history about the various document approvals, updates and so forth.
This is a quick way to show in order to the volume of documents your organization has
and that you're keeping definitive records about the documents.
If your system has some sort of document management system in place or content management system,
this would also be a great tool to use to manage all of your supporting documentation.
So some considerations to take note of
have templates for your documented information,
especially if its policies or procedures
having one template that could be reused over and over
inches, that your documents all conformed to the same standard
and that they all have the required basics.
Determine and document what your document revision and approval processes.
How often will your documents be reviewed
and how often will who needs to approve these documents?
Keep it a section in the document itself
in each document
that contains the document review and approval history,
as well as any changes that have been made in the document during the subsequent reviews,
have a document register that links the document to the actual
register that lists documents one through 50 for example, with their names
and contains some sort of hyperlink or other quick access mechanism
to bring up the associate ID documents.
Your documents should all include some standard attributes.
These are important to show that the documents are following and defined process of being drafted, reviewed and approved prior to being made available to the relevant stakeholders.
Date on the document are very important as this shows that the document was last reviewed or updated
and therefore when it would be do again for review or update based on the defying frequency
revision. History should include the changes that were made to the document
and whether these were substantial in nature in terms of content changes
or merely cosmetic for formatting related changes.
The classification of the information is also very important.
There should be done in line with your organization's data classifications, policies and procedures.
Not all documents supporting the item is will have the same level of confidentiality.
The information security policy would need to be shared with all personal in the organization,
but not necessarily toe all external stakeholders.
Certain reports and metrics of information, security controls and objectives might only be shared with personal within the relevant need to know,
and these would not necessarily be made available for all in the organization to see.
Some standard document attributes include
the document, also
the documentary viewer.
The document approve ER,
off which the document was initially drafted
when it was revised
when approvals happened, and so forth
details around the revision, history and changes made to the documentation
as well as the document classifications level.
Here are a few further considerations. To take note of that would help to ensure compliance to the standard
and also to ensure that your documentation is properly managed
when there are many personal involved in various aspects of the ice AMIS
and a wide interested parties list.
Having appropriate control of the information becomes important not only for compliance,
but to ensure that the documentation is easily accessible to those authorized to interact with it
and to ensure that the information is supporting the necessary functions.
Ensure that your information and documents is protected in line with its classifications.
In other words, restrict access to documents with higher
a change control process should be followed so that only authorized personal can change, approved and redistribute documents.
The interested parties for each documented piece of information
should be identified and known to ensure distribution only happens to authorized parties.
Establish an appropriate retention period for your documented information
during this lesson we covered.
Besides the standard of requiring
besides the standard requiring a lot of documented information,
this lesson covered how the standard requires this document to be maintained.
We covered document attributes that should be included on the documents.
We also covered considerations on how to manage and control these documents.