Maintaining Documented Information for the ISMS

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Listen 5.5, maintaining documented information for the SMS.
00:09
In this lesson, we will cover understanding the standard requirements on maintaining documented information
00:15
as well as document control considerations.
00:22
Now we've spoken about documented information quite a bit in previous sections.
00:26
There, we focused on what the required documentation, if there was any, was for each pause.
00:33
This section,
00:34
which is related to close 7.5,
00:38
focuses on managing all of the required documentation within the ice mess as a whole.
00:44
One thing to remember, just because it says documented, doesn't automatically mean this is a physical document.
00:51
All documents can be maintained digitally,
00:55
as we have spoken quite a bit about what type of documentation is required. The section will focus on the requirement that the I so 27,001 standard has for creating and maintaining documented information
01:08
to better organize and maintain the documentation for your SMS.
01:12
It is often useful to create a structure document library,
01:17
for example, a dedicated folder for ice miss documents appropriately protected. Of course,
01:23
a folder structure can help you sort and make sense of different types of documents
01:26
rather than one big document. Dump
01:30
the document register that lists all of the documents pertaining to the ice miss.
01:36
And this can contain history about the various document approvals, updates and so forth.
01:41
This is a quick way to show in order to the volume of documents your organization has
01:46
and that you're keeping definitive records about the documents.
01:51
If your system has some sort of document management system in place or content management system,
01:56
this would also be a great tool to use to manage all of your supporting documentation.
02:01
So some considerations to take note of
02:06
have templates for your documented information,
02:08
especially if its policies or procedures
02:10
having one template that could be reused over and over
02:15
inches, that your documents all conformed to the same standard
02:17
and that they all have the required basics.
02:23
Determine and document what your document revision and approval processes.
02:28
How often will your documents be reviewed
02:30
and how often will who needs to approve these documents?
02:36
Keep it a section in the document itself
02:38
in each document
02:40
that contains the document review and approval history,
02:45
as well as any changes that have been made in the document during the subsequent reviews,
02:52
have a document register that links the document to the actual
02:57
documents.
02:58
For example,
03:00
register that lists documents one through 50 for example, with their names
03:05
and contains some sort of hyperlink or other quick access mechanism
03:08
to bring up the associate ID documents.
03:17
Your documents should all include some standard attributes.
03:22
These are important to show that the documents are following and defined process of being drafted, reviewed and approved prior to being made available to the relevant stakeholders.
03:31
Date on the document are very important as this shows that the document was last reviewed or updated
03:38
and therefore when it would be do again for review or update based on the defying frequency
03:44
revision. History should include the changes that were made to the document
03:47
and whether these were substantial in nature in terms of content changes
03:53
or merely cosmetic for formatting related changes.
03:57
The classification of the information is also very important.
04:00
There should be done in line with your organization's data classifications, policies and procedures.
04:05
Not all documents supporting the item is will have the same level of confidentiality.
04:13
The information security policy would need to be shared with all personal in the organization,
04:17
but not necessarily toe all external stakeholders.
04:21
Certain reports and metrics of information, security controls and objectives might only be shared with personal within the relevant need to know,
04:30
and these would not necessarily be made available for all in the organization to see.
04:38
Some standard document attributes include
04:40
the document, also
04:42
the documentary viewer.
04:44
The document approve ER,
04:46
the date
04:47
off which the document was initially drafted
04:50
when it was revised
04:51
when approvals happened, and so forth
04:56
details around the revision, history and changes made to the documentation
05:00
as well as the document classifications level.
05:06
Here are a few further considerations. To take note of that would help to ensure compliance to the standard
05:12
and also to ensure that your documentation is properly managed
05:15
when there are many personal involved in various aspects of the ice AMIS
05:19
and a wide interested parties list.
05:23
Having appropriate control of the information becomes important not only for compliance,
05:27
but to ensure that the documentation is easily accessible to those authorized to interact with it
05:32
and to ensure that the information is supporting the necessary functions.
05:38
Ensure that your information and documents is protected in line with its classifications.
05:44
In other words, restrict access to documents with higher
05:46
gasification levels,
05:49
a change control process should be followed so that only authorized personal can change, approved and redistribute documents.
05:59
The interested parties for each documented piece of information
06:02
should be identified and known to ensure distribution only happens to authorized parties.
06:10
Establish an appropriate retention period for your documented information
06:18
to summarize
06:20
during this lesson we covered.
06:23
Besides the standard of requiring
06:25
besides the standard requiring a lot of documented information,
06:29
this lesson covered how the standard requires this document to be maintained.
06:33
We covered document attributes that should be included on the documents.
06:39
We also covered considerations on how to manage and control these documents.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By