ISO 27001 Clause 7.5: Documented Information Explained

Clause 7.5 sets out requirements around the documents that need to be included in the ISMS, how the organisation should set about creating and updating documents, as well as how documented information should be controlled.  

Identify required documented information

• Clause 7.5.1 specifies that you need to determine the documents required by ISO 27001 (i.e., the documentation specifically mentioned within the mandatory Clauses 4-10 of the Standard), and the documents necessary to operate the ISMS effectively.  The Standard stipulates the latter as, in order to operate the ISMS, you will inevitably need documents in addition to those required by Clauses 4-10; these may be driven by the non-mandatory Annex A controls or arise from existing governance practices.

The documentation that typically forms part of an ISMS includes:

• ISMS Framework:  Often termed an ISMS manual or similar, this sets out the organisation’s conformance to the mandatory management system clauses
• Policies:  For example, the information security policy as specified in Clause 5.2 (to learn more about this, read our blog on Developing an ISO 27001 Information Security Policy) and other topic-specific polices, e.g., access control, physical security and acceptable use policies, as suggested in Control A 5.1
• Procedures:  Those directly required by management system clauses and processes required for wider information security management activities, e.g., information security incident management, access control and business continuity
• Records:  Documents that may be produced as part of executing procedures related to the ISMS, e.g., information security incident logs, audit results, risk assessments and treatment plans, and competency matrices
• Evidence:  Documentation that evidences conformance to Annex A controls, e.g., information security training records, system activity logs, vulnerability scan results and records of business continuity testing.

This documentation forms your ISMS documentation inventory.  

Define a documentation structure

Effective ISMSs include a well-defined and consistent framework for organising documentation, established during the development of the ISMS.  As well as allowing you to develop the initial ISMS documentation, this framework should be flexible and scalable, allowing effective management of further documentation identified during the lifetime of the ISMS.

This framework needs to include a document hierarchy of policies supported by procedures, supported by more detailed work instructions where necessary, in turn supported by records and evidence.  For example, policies should ideally be standalone, whilst procedures should map clearly to associated policies but not include further policy statements – doing so can lead to duplication of policy statements, which can drift over time and cause confusion when they are not consistent.  Documents must also adopt a consistent naming convention and referencing scheme.  Document references should support the delineation between types of documentation, e.g., using POL.x.x for policies and PROC.x.x for procedures.

Successful document management frameworks are reflected in structured document stores, whereby related documents are held in defined storage locations, readily available to those individuals who need them, and protected from unauthorised modification.

All documents need to follow defined versioning rules, meaning they are allocated a version number with a version history maintained, and have document statuses (such as ‘draft’) clearly identified.  You can use a document management system to automate versioning, but at minimum each document must contain a list of versions and modifications.  You also ned to set out how version numbers increment, i.e., from 1.0 to 2.0 following a major increment, versus from 1.1 to 1.2 following a minor increment.

Finally, an effective document management framework promotes consistency, which can be achieved through the use of standardised templates, for example for policies, procedures, and individual records.

Establish document creation and approval processes

You need to define a document management approach covering how documents are drafted, owned, reviewed, approved and published.

• Drafted:  Promote the use of templates to ensure consistency, and define rules around production of draft documents and publication of documents as ‘final’ or ‘issued’ versions.  This needs to be integrated into your versioning approach.
• Owned:  Documents need a defined owner, i.e., an author responsible for the development and maintenance of the document throughout its lifetime.  You also need a mechanism to transfer ownership should an owner leave the organisation or move to a different role.
• Reviewed:  Documents need appropriate peer review prior to their issue.
• Approved:  As part of publication, documentation must be formally approved.  Exact approval requirements depend on your organisation’s structure and governance arrangements, but typically include management approval from the department publishing the document, and possibly from other departments impacted.  For example, a supplier management process published by Procurement may also impact and need approval from Finance and Information Security.
• Published:  Publication may involve moving between storage locations, i.e., from draft to published folders, to which different individuals may have different levels of access.  Documents may also need to be ‘launched’ to their intended audiences; for example, an updated information security policy would typically be issued via an email to all employees, notifying them of the new version they must follow.

To facilitate all of the above, you need to specify who can create documents, often varying depending on the document type, who approves them, and how changes are requested and tracked.  The last is often overlooked, but the most effective frameworks include clear processes that allow individuals to request changes, and to manage and track those changes effectively.  Your change management process is likely to be too cumbersome for managing this – a simpler process is usually more effective.

Implement document control measures

Clause 7.5 requires that documents are available where needed and protected from loss, damage, or unauthorised access.  We have touched on this already, suggesting the use of structured document stores.  

Such stores need set access permissions to different areas of the store, for example to limit access to draft versions or original copies of published documents.  While published documents can be available to anyone who needs them, document modification should be restricted to the document owner or designated deputy.  You can achieve this through access permissions, or the use of read-only formats, such as PDF, locking the documents against modification if necessary.

In addition, you will need to define retention rules for key documentation (see below) and provide for the continued availability of documentation using backups or high availability systems.  Cloud environments can also be used to provide high availability, and in many cases, smaller organisation may employ a cloud environment by default.

As mentioned above, the use of a structured document store with appropriate access permissions is important, but it is equally necessary to securely store documentation physically.  Though this may make organisation-wide documentation availability challenging for larger organisations, it can be highly effective for smaller ones.  However, you need to ensure that the same principles for security are echoed in the physical document store as in the electronic store.

Define retention and disposal requirements and mechanisms

You need to define how long documents are kept and how they are disposed of, usually in a policy, supported if needed by a retention schedule.  Instead of setting rules for every individual document, it is often simpler to group documentation into categories.  These categories may be based on organisational structure, legal or regulatory requirements, or another relevant factor, with the level of detail varying as needed.  For example, HR records might be grouped together, or split into categories such as employee history, salary information, CVs, and screening records..

Having established documentation categories, you need to define for each category how long documents must be kept, which will largely derive from legal, regulatory or contractual requirements, and where they must be stored.  Naturally, this will link to the document store, but may also set out specific security requirements or regional peculiarities such as government requirements to retain hard copies.  For physical copies, this may cover requirements for secure storage, e.g., fire resistant safes meeting specific standards.

You will also need to establish how documents are disposed of securely, which will typically be set out in policy, e.g., in an information classification and handling policy with supporting procedures.  Requirements and procedures must address both physical documents and media (such as removable storage media) disposal and electronic documents erasure.  This can include requirements for erasing individual documents but, more commonly, erasing storage within devices (such as laptops or other endpoint devices) or storage removed from systems (such as server disks or network storage).  External assessors can seek detailed information about your electronic erasure techniques, and how information is erased securely on cloud storage.

Maintain and update documented information

A mechanism is needed to ensure all documented information remains current, accurate and relevant.  This can be achieved through:

• Scheduled reviews: Defining review cycles within individual documents and/or documentation registers, with a process to trigger documentation review in accordance with the defined review cycles.  Some document management systems can automate this.
• Triggered reviews: Reviewing documents following information security incidents, audits or organisational changes.  External assessors may look for trigger points to be defined in processes, such as the information security incident management process.

It is important to maintain version control and change logs within documents to evidence that regular reviews are being conducted.

Organisations commonly ask how often they should conduct reviews, particularly in relation to policies which, once established, typically won’t change frequently.  Documents need only be reviewed in line with the documented review cycle.  In practice, assessors usually look for key documents like policies to be reviewed within the last 12 months (i.e., the annual ISO 27001 audit period), even if the outcome is simply to record that no changes were required.

However, the Standard doesn’t mandate a review cycle period, instead using phrases such as ‘reviewed regularly’ or ‘at planned intervals’.  Furthermore, other documents like work instructions for setting access rights in a system may not require update unless there is a change to the system, so will not need regular review.

Control records as evidence

Records are a specific type of documented information and must be complete, authentic, legible, traceable, and protected.  Protection has already been covered, and legibility is largely self explanatory, applying primarily to physical records or scanned images of physical documents.  Completeness, authenticity, and traceability, however, are generally more challenging to achieve and demonstrate in practice..

• Completeness:  To help determine record completeness, use metadata or structured referencing schemes, whereby records are allocated consecutive reference numbers indelibly linked to the record itself.
• Authenticity:  For the most sensitive records, techniques such as digital signatures and encryption can be used to determine whether the record has been tampered with, whilst physical records can be inspected.  Authenticity typically only becomes an issue where it is necessary to demonstrate a chain of evidence, supporting legal action.  Here, it is possible to employ checks such as for digital manipulation, face morphing and expiration, but third-party specialists are usually engaged to undertake this work.
• Traceability:  In some instances, it is necessary to identify the source of documented information.  Most ISMS documentation will be sourced internally, but some external documentation may be integral to the ISMS documentation set, such as employee screening records.  Clause 7.5.3 requires that this documentation is identified appropriately and controlled, which in practice means it must be clearly identifiable as documentation of external origin.

Examples of ISMS records include, but are not limited to:

• Employee attestations to comply with the information security policy and ISMS requirements
• Risk assessments and risk treatments
• Information security training completion records
• Incident reports
• Audit results.

Ensure documented information supports audits

Successful external assessments will often hinge on ensuring that documentation is easy to locate, consistent with practice, demonstrates conformance and shows clear version history.

Though not typically the sole reason for ‘failing’ an assessment, an assessor may think you’re unfamiliar with documented policies and processers if you can’t track them down easily.  A structured storage approach and the use of a documentation register can help address this.  Documentation registers typically include:  

• Document title
• Owner
• Version
• Approval date
• Review date
• Storage location
• Access levels.
• ISMS documentation must, of course, reflect the requirements of the mandatory management system clauses and selected Annex A controls, but it is also essential that documentation reflects actual practices.  Assessors aren’t just expecting you to follow the Standard, but also your own policies and procedures; so, saying ‘we don’t do it that way’ when referring to a procedure will certainly result in a nonconformity.  

Mark documents with their classification

Although not a strict requirement of Clause 7.5 and more closely linked to Controls A 5.12 and A 5.13, the inclusion of classification markings is relevant to documentation practices, such as the use of templates.  In most documents, adding classification markings is straightforward, but spreadsheets can present challenges.  Assessors typically expect classification markings to appear on all pages and potentially be visible on screen, which is easy to achieve in documents but more difficult with large spreadsheets.

The following approaches are typically acceptable:

• Printed copies:  Include the classification in the header or footer, usually accessed through page properties.  This will ensure the classification marking appears on each sheet when printing the spreadsheet or when printing to PDF.
• Electronic copies: Include the classification on a document control tab and/or on the first row of each tab.  Having a separate document control tab is usually sufficient but some assessors may expect it on every tab.  Having it in at least one of these locations will demonstrate that steps have been taken to classify documentation.

‍

A well-defined and robust document management framework supports the smooth operation of the ISMS.  Whilst investment is required to set up the framework, this can lead to efficiencies once the ISMS is embedded.  Control of documented information will also help you comply with other regulatory requirements, for example those relating to document retention.  During external assessments, an organisation’s documented information effectively acts as its ‘shop window’, providing the clearest demonstration of conformance.  Strong document management reduces the risk of ‘easy win’ nonconformities for assessors and, while it may initially require a cultural shift, the practices it promotes should, over time, become business as usual.