Procedure for the Control of Documented Information
ISO/IEC 27001 Toolkit Version 7 ©CertiKit 2016
Procedure for the Control of Documented Information [Insert Classification]
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document This document describes the controls in place for naming and versioning of documents and associated attributes.
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: 7.5 Documented information 7.5.1 General 7.5.2 Creating and updating 7.5.3 Control of documented information
General Guidance You may decide to change the version control scheme suggested in this document if it differs from that already in use within your organization. If you currently have a quality management system in others areas of your business such as ISO9001 then it may be preferable to make use of existing procedures for document control. Note that the printing and physical signing of approved documents is not a necessity; auditors will generally accept other methods of showing that a document has been officially approved such as digital signing and the use of an “Approved� folder structure. You may find that many of the decisions about naming conventions for systemgenerated records etc. have already been made by the developers of the software in use e.g. for security monitoring. However, you will still need to consider how to manage relevant records that are often fairly uncontrolled such as meeting minutes and reports. You will need to establish the differing types of documented information you have and their owners before agreeing a consistent method of control. Ideally you will document any resulting procedures as part of the ISMS.
Version 1
Page 1 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
Review Frequency We would recommend that this document is reviewed annually.
Toolkit Version Number ISO/IEC 27001 Toolkit Version 7 ©CertiKit 2016.
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Version 1
Page 2 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
[Replace with your logo]
Procedure for the Control of Documented Information
Document Classification: Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 16
[Insert Classification] ISMS-DOC-07-3 1 [Insert date]
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 16
Date
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
Contents 1
INTRODUCTION ....................................................................................................................................... 7
2
DOCUMENT CONTROL PROCEDURE ................................................................................................ 8 2.1 OVERVIEW ................................................................................................................................................ 8 2.2 CREATION OF DOCUMENTS ....................................................................................................................... 9 2.2.1 Naming Convention ........................................................................................................................ 9 2.2.2 Version Control ............................................................................................................................ 10 2.2.3 Document Status ........................................................................................................................... 11 2.2.4 Documents of External Origin ...................................................................................................... 11 2.3 DOCUMENT REVIEW ............................................................................................................................... 11 2.4 DOCUMENT APPROVAL ........................................................................................................................... 12 2.5 COMMUNICATION AND DISTRIBUTION .................................................................................................... 12 2.6 REVIEW AND MAINTENANCE OF DOCUMENTS ........................................................................................ 13 2.7 ARCHIVAL OF DOCUMENTS ..................................................................................................................... 13 2.8 DISPOSAL OF DOCUMENTS ...................................................................................................................... 13
3
RECORDS LIFECYCLE ......................................................................................................................... 14 3.1 3.2 3.3 3.4 3.5 3.6
IDENTIFICATION ...................................................................................................................................... 14 STORAGE................................................................................................................................................. 14 PROTECTION ........................................................................................................................................... 15 RETRIEVAL.............................................................................................................................................. 15 RETENTION ............................................................................................................................................. 15 DISPOSAL ................................................................................................................................................ 15
List of Figures FIGURE 1 – DOCUMENT CONTROL PROCEDURE ......................................................................................................... 8 FIGURE 2 - REVISION HISTORY ................................................................................................................................ 10 FIGURE 3 - DOCUMENT APPROVAL .......................................................................................................................... 12 FIGURE 4 - DISTRIBUTION LIST................................................................................................................................ 12
List of Tables TABLE 1 - DOCUMENT SUBJECT AREA REFERENCES .................................................................................................. 10 TABLE 2 - DOCUMENT REVIEW GUIDELINES ............................................................................................................. 11 TABLE 3 - DOCUMENT APPROVAL BOARDS ............................................................................................................... 12
Version 1
Page 6 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
1 Introduction “Documented information” is defined by ISO as “information required to be controlled and maintained by an organization and the medium on which it is contained”. This term covers what used to be referred to as “documents and records” and for reasons of clarity this procedure still draws a distinction between these two types of documented information. The use of documented information is an essential part of the Information Security Management System (ISMS) in order to set out management intention, provide clear guidance about how things should be done and provide evidence of activities that have been performed. The ISO/IEC 27001 standard requires that all documented information that makes up the ISMS must be controlled to ensure that it is available and suitable for use, where and when needed, and is adequately protected. Such control is essential in order to ensure that the correct processes and procedures are in use at all times within the organization and that they remain appropriate for the purpose for which they were created. The general principles set out in the standard and adopted within this procedure are that all documented information must be:
Readily identifiable and available Dated, and authorised by a designated person Legible Maintained under version control and available to all people and locations where relevant activities are performed Promptly withdrawn when obsolete and retained where required for legal or knowledge preservation purposes This procedure sets out how this level of control will be achieved within [Organization Name].
Version 1
Page 7 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
2 Document Control Procedure This procedure applies to “documents” (as opposed to “records” which are covered later) which are generally created via a word processor (or similar office application) and describe management intention such as policies, plans and procedures. 2.1
Overview
The overall process of control for documents is shown in the diagram below.
Document Creation
Document Review
Documents of External Origin
Document Approval
Communication And Distribution
Review and Maintainance
Archival
Disposal
Figure 1 – Document control procedure
Version 1
Page 8 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
Each of these steps is described in more detail in the remaining sections of this procedure. 2.2
Creation of Documents
The creation of documents will be at the request of the [Organization Name] management team and may be done by any competent individual appropriate to the subject and level of the document. However there are a number of rules that must be followed when creating a document to be used in the ISMS. 2.2.1
Naming Convention
The convention for the naming of documents within the ISMS is to use the following format: ISMS-DOC-xx-yy Document Title Vn Status dd where: ISMS DOC xx yy Document Title Vn Status dd
= Information Security Management System = Document = Subject area reference (see Table 1) = Unique document number = Meaningful description of document = Version n = Status of document (Draft or Final) = Number of draft, if appropriate
A unique number will be allocated for each document and an index of document references maintained within the ISMS Quality System - see Information Security Management System Documentation Log for more details. Subject areas references are designed to map onto the sections of the ISO/IEC 27001 standard as follows (further subject areas may be created as required): Subject Area Reference 00 01 02 03 04 05 06 07 08 09
Version 1
ISO/IEC 27001:2013 Subject Area Introduction and project resources 1. Scope 2. Normative references 3. Terms and definitions 4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation
Page 9 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
Subject Area Reference 10 A05 A06 A07 A08 A09 A10 A11 A12 A13 A14 A15 A16 A17 A18
ISO/IEC 27001:2013 Subject Area 10. Improvement A5. Security policy A6. Organization of information security A7. Human resource security A8. Asset management A9. Access control A10. Cryptography A11. Physical and environmental security A12. Operations security A13. Communications security A14. System acquisition, development and maintenance A15. Supplier relationships A16. Information security incident management A17. Information security aspects of business continuity management A18. Compliance
Table 1 - Document subject area references
2.2.2
Version Control
Document version numbers will consist of a major number only e.g. V2 is Version 2. When a document is created for the first time it will have a version number of 1 and be in a status of Draft. Each time a draft is distributed, any further changes will result in the draft number being incremented by 1 e.g. from 1 to 2. For example when a document is first created it will be Version 1 Draft 1. A second draft will be V1 Draft 2 etc. When the document is approved it will become V1 Final. The version number will be incremented when a subsequent version is created in draft status. For example a revision of an approved document which is at V1 Final will be V2 Draft 1 then V2 Draft 2 etc. until approved when it will become V2 Final. Documents must include a revision history as follows: Revision History Version Date
Revision Author
Summary of Changes
Figure 2 - Revision history
Version 1
Page 10 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
Once the document reaches its final version, only approved versions should be recorded in this table. 2.2.3
Document Status
The status reflects the stage that the document is at, as follows: Draft = Under development and discussion i.e. it has not been approved Final = Following approval and release into live work environment 2.2.4
Documents of External Origin
Documents that originate outside of the organization but form part of the ISMS will be allocated a reference and a header page attached at the front of the document, setting out information that is normally included in internal documents i.e.:
Document reference Version Date Status Distribution
Such documents will then be subject to the same controls as those that originate internally. 2.3
Document Review
Draft documents will be reviewed by a level and number of staff appropriate to the document content and subject. Guidelines are as follows: Document Type Strategy Policy Procedure Plan
Reviewers
Table 2 - Document review guidelines
Once approved, the date of next scheduled review should be recorded in the Information Security Management System Documentation Log.
Version 1
Page 11 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
2.4
Document Approval
All documents must go through an approval board to ensure that they are correct, fit for purpose and produced within local document control guidelines. The board will differ dependent upon the type of document and may go to numerous groups prior to being approved. In standard terms, approval boards are: Document Type Strategy Policy Procedure Plan
Approvers
Table 3 - Document approval boards
Each document that requires approval should have a table for the purpose as shown below: Approval Name
Position
Signature
Date
Figure 3 - Document approval
Once approved a copy of the document must be printed and signed by the approver. [Note – you may choose to do this electronically rather than by printing a copy]. This copy will then be retained in a central file Upon approval of a new version of a document, all holders of previous versions will be instructed to obtain a new version and destroy the old one. 2.5
Communication and Distribution
A distribution list will be included as follows: Distribution Name
Title
Figure 4 - Distribution list
Version 1
Page 12 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
This list must be accurate as it will be used as the basis for informing users of the document that a new version is now available. 2.6
Review and Maintenance of Documents
All final documents must be stored electronically and in paper format both locally and off-site to ensure that they are accessible in any given situation. ISMS documents are stored electronically on the shared drive under the relevant sub-folder (e.g. Management responsibility, Management review etc.). The drive is a shared drive to which all appropriate members of [Organization Name] have access, in line with the published Access Control Policy. Final documents are stored in paper format in a filing structure that mimics the electronic version. [State the location of the paper files]. A full copy of final documentation will be reproduced and stored within the Definitive Media Library. 2.7
Archival of Documents
Approved documents exceeding their useful life are stored in a Superseded Folder on the shared drive in order to form an audit trail of document development and usage. They should be marked as being superseded in order to prevent them being used as a latest version by mistake. 2.8
Disposal of Documents
Paper copies of approved documents that have been superseded are to be disposed of in secure bins or shredded, in line with agreed Information Classification Guidelines and Asset Handling Procedures.
Version 1
Page 13 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
3 Records Lifecycle This section describes the control of the type of documented information that generally shows what has been done i.e. is a “record” of activity, such as a completed form, security log or meeting minutes. 3.1
Identification
There is a variety of types of record that may form part of the ISMS and these will be associated with the specific processes that are involved, such as:
Security incidents Change requests Configuration items Security event logs
In addition there will be more general items such as meeting minutes which could apply across processes. In terms of identification, in many cases this will be dictated by the tool creating the record, for example a unique numbering system such as INC000001 for security incidents or CHG000001 for changes will be used by the tool. For those records that are manually created the following rules will apply: 1. Meeting minutes will be named according to the subject of the meeting and the date 2. Reports will be named according to the subject of the report and the reporting period 3. Logs will be named with the title of the log and the date/time period covered For any other types of record not covered, the creator should use common sense to ensure that the name chosen gives a good indication as to the contents of the file and it should be stored in a location relevant to its purpose. 3.2
Storage
Many records within the ISMS will be stored in application databases specifically created for the purpose e.g. the security incident database. For non-database records, a logical filing structure will be created according to the area of the ISMS involved. [Describe the filing structure on your server in which you will store your ISMS records]
Version 1
Page 14 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
Where possible, all records will be held electronically; paper documents should be scanned in if an original electronic copy is not available. 3.3
Protection
Records held in application databases will be subject to regular backups in line with the agreed backup policy. File storage areas will also be backed up regularly, with all latest backups held at an offsite location. Access to the records will be restricted to authorised individuals in accordance with the [Organization Name] Access Control Policy. 3.4
Retrieval
Records will generally be retrieved via the application that created them e.g. the service desk system for security incidents and an event viewer for logs. Reporting tools will also be used to process and consolidate data into meaningful information. 3.5
Retention
The period of retention of records within the ISMS will depend upon their usefulness to [Organization Name] and any legal, regulatory or contractual constraints. Securityrelated service desk records are useful for historical trend analysis and so will be kept for a period of at least 7 years. Particular care will be taken where records may have some commercial relevance in the event of a dispute e.g. contracts and minutes of meetings with suppliers and these should be kept for the same length of time. Records that are particularly detailed and only relevant for a short period of time such as server event logs should only be kept as long as there is an immediate requirement for them. Specific retention periods are set out in the Records Retention and Protection Policy. 3.6
Disposal
Many systems provide for the concept of archiving and in most cases this should be used rather than deletion. However once it has been decided to dispose of a set of records they should be deleted using the appropriate software e.g. the service desk system will provide a facility to delete security incident records. If such records are held on hardware that is also to be disposed of then all hard disks must be shredded by an approved contractor.
Version 1
Page 15 of 16
[Insert date]
Procedure for the Control of Documented Information [Insert Classification]
Paper copies of records that are to be disposed of should be shredded in line with agreed Information Classification Guidelines and Asset Handling Procedures.
Version 1
Page 16 of 16
[Insert date]