Documentation Updates
Your ISO 27001 documentation must stay current to remain effective and audit-ready.
Why Documentation Goes Stale
- Business and technology changes
- Staff turnover
- Lessons learned from incidents
- Standard version updates (2013 → 2022)
- Scope changes
Cost of Stale Docs: Audit findings, operational confusion, inability to respond effectively, certification risk.
Update Cycles
Annual Full Review (Mandatory)
- ISMS Policy
- Security Policy
- Supporting policies
- Statement of Applicability
- Risk Assessment
- Business Continuity Plan
Triggered Updates (As Needed)
- Major organizational changes
- New products or services
- Significant security incidents
- New regulatory requirements
- Technology platform changes
- Scope modifications
Continuous Minor Updates
- Contact information
- Role changes
- Procedural refinements
- Typo fixes
Document-by-Document Guide
ISMS Policy: Review annually or with major organizational change
- Scope still accurate?
- Objectives still relevant?
- Leadership commitment reaffirmed?
Security Policy: Review annually
- Requirements still applicable?
- New threats addressed?
- Technology references current?
Procedures: Review annually or when process changes
- Screenshots still accurate?
- Steps still valid?
- Tool names current?
- Roles still exist?
Statement of Applicability: Review annually or with scope changes
- All 93 controls reviewed?
- Applicability decisions still valid?
- Implementation status accurate?
Risk Assessment: Annually minimum, quarterly recommended
- All assets in inventory?
- New assets added?
- Threat landscape changed?
- Risk levels shifted?
Business Continuity Plan: Annually, after testing, after incidents
- Contact info current?
- Procedures tested and valid?
- RTOs/RPOs achievable?
Version Control
Numbering Options
- Simple: v1.0 → v1.1 → v2.0
- Date-based: ISMS-Policy-2024-01
- Semantic: MAJOR.MINOR.PATCH
Track These Properties
- Document title and owner
- Version number and date
- Approval date and approver
- Next review date
- Change summary
Change Log Example
| Version | Date | Author | Changes | Approved By |
|---|---|---|---|---|
| 1.0 | 2024-01-15 | J. Smith | Initial version | CEO |
| 1.1 | 2024-06-20 | J. Smith | Updated contacts | COO |
| 2.0 | 2025-01-10 | A. Jones | ISO 27001:2022 rewrite | CEO |
Document Management Tools
| Tool | Pros | Cons |
|---|---|---|
| SharePoint | Robust, Office integration | Complex setup |
| Google Drive | Easy, collaborative | Limited workflow |
| Confluence | Great for wikis | Can get messy |
| GRC Platforms | Purpose-built | Expensive |
| Git | Excellent version control | Technical curve |
Communication Strategy
Minor Updates:
- Email affected users
- Note in next meeting
- Update in document
Major Updates:
- All-hands announcement
- Training session if needed
- Track acknowledgments
- Update handbooks
Audit Perspective
What Auditors Look For: ✓ Consistent version control ✓ Recent review dates (within last year) ✓ Changes tracked and logged ✓ Approval process followed ✓ Documents match actual practices ✓ Obsolete documents removed
Common Findings:
- Documents don't match practice
- No evidence of annual review
- Multiple versions in circulation
- Outdated contact information
- Procedures don't match reality
Keep It Sustainable
Strategies:
- Assign clear ownership
- Set calendar review dates
- Use simple templates
- Integrate with management review
- Reward compliance
- Automate where possible
Red Flags:
- Multiple "current" versions exist
- Employees ignore procedures
- Auditors find discrepancies
- Forgotten documents
- Reviews 2+ years overdue
Document Health Checklist
- Header has version and date
- Change log present and current
- Owner identified
- Next review date set (not overdue)
- No references to defunct systems/people
- Approval signature present
- In document register
- Previous version archived
Remember: Documentation serves your organization first, auditors second. If your team can't use it, it's not good documentation.
Next Lesson: Managing scope changes without drama.