There is nothing worse than picking up something new or where someone has last left it. Often this leaves you a little confused, whether you are unable to locate the document itself or if there is missing information. With the appropriate document controls and storage in place, this will make it a little easier.
Sections 7.5.2 and 7.5.3. of ISO27001, in relation to updating and control of documents clearly express the steps that are to be taken. The individuals who regularly make updates to records or policies should follow this practice.
These are some of the document requirements from the standard such as:
- Reference number;
- Paper or electronic;
Locating the Latest Version of Documents
This could lead you tracing steps backwards to find out who had the last copy and where it may be. If the individual is around then its easy to locate but if the trail is at a loose end, then you may have to consider alternative options.
If another internal personnel is working on updating policies or records and has not passed the latest version down to the information security manager then they may not be aware of the changes made. That individual may end up checking to find what has changed.
Once you locate the last version of a policy or record check the version control and changes to see if it’s accurate or update what’s missed out by mapping to any update requirements from audits.
Creating a Central Location
Quite often you will hear “it was in the last email I sent you or I have somewhere in my email” and waiting to receive the correct documents. This can sometimes create a delay in accessing the information or if the key personnel has moved on even with auto search it can be a little tricky to locate the actual documentation.
If a central location does not exist find out where the current set of policy and record documents are kept. If they on a separate platform on a third party to the business, consider if it makes sense to bring these copies to the business internal storage either locally or cloud-based.
It is helpful for the business internal team to have a central location of the policy and documents in a central location as it is easier for everyone to access.
Other Benefits of a Central Location
A business central space to store also allows you to add and create a file storage system to include internal audit, external audits and standards to manage the ISO27001.
Whilst one person in your business is working on a document, the system may lock any updates or access to the document thereby ensuring that changes can be made one at a time.
It also demonstrates to the external auditor that you are organised, and the file system allows you to go and locate the documents you need at during the audit.
By doing this all the documents and not just policy and records are in one single location.
There will be a number of documents that will be for the senior management these can be in the files which the senior management can access. This limits access by any other person to that particular folder who are not part of that group.
Version Control of Documents
The business is going to be making a number of changes to policies and records during various audits and this is likely to be included in the document version control practices being applied.
The historical changes view will give you an outlook on when changes were approved and what was changed.
Once the documents are created it’s sometimes easier to think there is very little for me to do here. In a year, your business may go through changes a regular review of documents allows you to either make the changes or keep the existing ones as is if there are no changes.
This also demonstrates that senior management have had the chance to go through review changes.
If a document is supposed to be confidential then this will need to appear in the document template with the appropriate disclaimers around it. To open a document with no label or incorrect label will be the gap that should not exist if the rest of the business is applying document classification correctly.
The documents all should be the same templates, imagine if the auditor looked at two sets of policies and the initial first two pages on each policy are completely different with branding and version control information.
They are going to be looking for a consistent approach to making sure a single latest version is being applied to all the documents.
You have a number of policies and records and whilst these may be updated recently with the correct owner this needs to accurate. Checks must be made with ownership record that these are the same otherwise this will be out of kilt.
Getting the policies and documents organised for ISO27001 will allow you greater flexibility to access, monitor and make changes. Instead of being scattered all over if the ISO27001 documents can be centralised then the information is available is at your fingertips when you need to access it.Want more ISO27001 Gudiance?