Module 4: Resource Gathering

Document Control Mastery

18 min
+50 XP

Document Control Mastery (Clause 7.5)

Effective document control is the backbone of your ISMS. Clause 7.5 requires you to control documented information to ensure it's available, suitable for use, and adequately protected.

Understanding Clause 7.5

ISO 27001:2022 Clause 7.5 covers three key areas:

7.5.1 General

The ISMS shall include documented information:

  • Required by ISO 27001 (mandatory documents)
  • Determined by the organization as necessary for ISMS effectiveness

7.5.2 Creating and Updating

When creating and updating documented information, ensure:

  • Appropriate identification and description
  • Appropriate format and media
  • Appropriate review and approval for suitability and adequacy

7.5.3 Control of Documented Information

Control documented information to ensure:

  • It's available and suitable for use where and when needed
  • It's adequately protected (confidentiality, integrity, availability)

Control activities shall address:

  • Distribution, access, retrieval, and use
  • Storage and preservation (including legibility)
  • Control of changes (version control)
  • Retention and disposition

Types of Documented Information

1. Mandatory Documents (Required by ISO 27001)

  • ISMS scope (4.3)
  • Information security policy (5.2)
  • Risk assessment and treatment process (6.1.2, 6.1.3)
  • Statement of Applicability (6.1.3)
  • Information security objectives (6.2)
  • Competence evidence (7.2)
  • Monitoring and measurement results (9.1)
  • Internal audit program (9.2)
  • Management review results (9.3)
  • Nonconformities and corrective actions (10.2)

2. Organization-Determined Documents

Documents you create for effective ISMS operation:

  • Procedures and work instructions
  • Forms and templates
  • Plans and programs (risk, audit, training, awareness, communication)
  • Risk registers and asset inventories
  • Training materials and records
  • Meeting minutes and reports
  • Audit checklists and reports

Document Control Principles

1. Identification

Each document must be uniquely identified:

  • Document ID: Unique reference number (e.g., ISMS-POL-001)
  • Title: Clear, descriptive name
  • Version number: Track revisions (1.0, 1.1, 2.0)
  • Date: Creation or revision date
  • Author: Who created it
  • Owner: Who's responsible for it
  • Status: Draft, approved, obsolete

Example ID Scheme:

  • ISMS-POL-001 (Policy)
  • ISMS-PROC-002 (Procedure)
  • ISMS-FORM-003 (Form)
  • ISMS-TEMP-004 (Template)

2. Format and Media

Choose appropriate format for each document type:

  • PDF: For controlled documents (prevents unauthorized editing)
  • Word/Excel: For working documents and forms users complete
  • HTML: For intranet/portal content
  • Paper: For some records requiring signatures

3. Review and Approval

Process:

  • Draft created by author
  • Reviewed by relevant stakeholders
  • Approved by appropriate authority
  • Published and communicated

Approval Authority:

  • Policies: Executive management
  • Procedures: ISMS Manager or department head
  • Work instructions: Process owner
  • Forms/templates: ISMS Manager

4. Distribution and Access

Distribution Methods:

  • Intranet/document management system (preferred)
  • Email (for notifications, not storage)
  • Physical copies (controlled and registered only when essential)

Access Control:

  • Public: Available to all staff
  • Internal: Restricted to employees only
  • Confidential: Limited to specific roles
  • Restricted: Need-to-know basis only

5. Version Control

Numbering:

  • Major changes: 1.0 → 2.0 → 3.0
  • Minor changes: 1.0 → 1.1 → 1.2
  • Draft versions: 0.1, 0.2, 0.3

Version History: Maintain a change log showing version, date, author, description, and approver.

6. Storage and Preservation

Requirements:

  • Centralized location (document management system)
  • Regular backups
  • Protected from loss, damage, unauthorized access
  • Organized logically and searchable
  • Retained per retention schedule

Typical Retention Periods:

  • Policies: Current + 3 years
  • Procedures: Current + 2 years
  • Risk assessments: Current + 3 years
  • Audit reports: 5 years
  • Incident records: 5 years
  • Training records: Employment + 5 years

7. Change Control

Process:

  1. Change request submitted
  2. Impact assessment conducted
  3. Review and approval obtained
  4. Document updated
  5. Version incremented
  6. Stakeholders notified
  7. Old version archived

8. Obsolete Documents

Handling:

  • Remove from active use locations
  • Mark clearly as "OBSOLETE"
  • Archive for retention period
  • Prevent unintended use
  • Delete securely after retention expires

Document Hierarchy

Level 1: Policies

  • High-level direction and intent
  • Approved by top management
  • Reviewed annually

Level 2: Procedures

  • How processes are carried out, who does what
  • Approved by ISMS Manager
  • Reviewed annually or as needed

Level 3: Work Instructions

  • Step-by-step operational guidance
  • Approved by process owner
  • Reviewed as needed

Level 4: Forms and Records

  • Templates for capturing data and evidence
  • Various approval levels
  • Retained per schedule

Document Management System Options

1. SharePoint/Office 365

  • Version control built-in
  • Good collaboration features
  • Access control via permissions
  • Widely available

2. Dedicated Document Management Systems

  • Purpose-built for compliance
  • Strong workflow capabilities
  • Robust audit trails
  • Higher cost

3. GRC Platforms

  • Integrated governance, risk, compliance
  • Full ISMS lifecycle management
  • Strong audit and reporting
  • Most expensive, complex

Key Features to Look For:

  • Version control and history
  • Access control and permissions
  • Approval workflows
  • Audit trails
  • Search capabilities
  • Backup and recovery
  • Notifications

Common Document Control Mistakes

  1. No version control - Multiple "final" versions circulating
  2. Poor naming conventions - Files named "FINAL," "FINAL2," "REALLY_FINAL"
  3. Lack of review dates - Documents never updated, outdated information
  4. No control over paper copies - Printed versions get out of date
  5. Inadequate access control - Everyone can edit everything
  6. No change tracking - Can't explain what changed and why
  7. Over-documentation - Too many documents to maintain effectively

Best Practices

  1. Keep it simple: Don't over-document
  2. Use templates: Ensure consistent structure
  3. Centralize: One source of truth
  4. Automate: Use tools for workflow and reminders
  5. Review regularly: Annual reviews minimum
  6. Train staff: Ensure they know where to find current documents
  7. Audit trail: Track all changes
  8. Backup: Protect against loss

Integration with Annex A Controls

Document control supports multiple controls:

  • A.5.13: Labeling of information
  • A.5.14: Information transfer
  • A.5.34: Privacy and protection of PII
  • A.5.36: Compliance with policies, rules and standards
  • A.5.37: Documented operating procedures

Next Lesson: Create a Document Control Procedure to formalize your document management approach.

Complete this lesson

Earn +50 XP and progress to the next lesson

Previous

Communication Strategy

Next

Document Procedure