Document and Record Control Procedure

by Elina D

Document Definition

The purpose of the Document definition control is to ensure that only authorised individuals can create, modify, and delete organisational documents. This is important because it helps to prevent the accidental or unauthorised alteration of critical organisational information. There are three elements to this control:
Document management policy: The document management policy should define who is authorised to create, modify, and delete organisational documents.
Document register: The document register should list all the organisational documents that are subject to the control.

Change control procedure: The change control procedure should define how changes to organisational documents are to be authorised and tracked.

Document and Record Control Procedure

Required ISO 27001 Documents

The ISO/IEC 27001:2013 standard includes the following required documents:
Statement of Applicability

  1. Security Policy
  2. Risk Assessment
  3. Risk Treatment Plan
  4. Security objectives and controls
  5. Security Controls Procedures
  6. Information Security Incident Management Procedure
  7. Information Security Aspects of Business Continuity Management
  8. Compliance with Laws and Regulations
  9. Physical and Environmental Security.

Record Definition

The term 'Record' means any information that has been created, received, or maintained by an organisation in support of its business activities. Records include, but are not limited to, written communications, emails, contracts, financial statements, and website content. The purpose of the Record Definition is to ensure that all records are managed in a consistent and compliant manner.
Under the requirements of ISMS 27001, records must be:

  • Accurate and up to date
  • Complete and cannot be altered
  • Legible and easy to understand
  • Protected from unauthorised access, destruction, or modification.

Organisations must also appoint a records Manager who is responsible for the creation, maintenance, and destruction of records in accordance with company policy.

Required ISO 27001 Records

In order to be compliant with ISO 27001, there are certain records that must be kept. These records include:

  • A list of all assets within the scope of the ISO 27001 certification
  • A list of all individuals with access to those assets
  • A list of all security measures that have been implemented
  • A list of all security incidents that have occurred
  • A list of all changes that have been made to the security measures
  • A list of all audits that have been conducted
  • A list of all training and awareness activities that have been conducted - A list of all corrective and preventive actions that have been taken.

How should documentation and records be managed?

In order to ensure the security of information assets, it is important to have a well-defined and implemented process for managing documentation and records. ISO 27001 is an international standard that provides guidance on how to do this. we will explain in detail how to manage documentation and records in accordance with ISO 27001.

  • First, it is important to understand what documentation and records are. Documentation refers to any information that is used to support the operations of an organisation. This can include policies, procedures, plans, and other documents that describe how the organisation functions. Records are any information that is used to document the progress or results of an activity. This can include data, logs, reports, and other documentation that captures the output of an activity.
  • In order to effectively manage documentation and records, organisations need to establish a system for storing and managing them. The system should be designed to ensure that documentation and records are properly protected from unauthorised access, alteration, or destruction. The system should also be designed to ensure that only authorised individuals have access to the documentation and records.
  • Once a system for storing and managing documentation and records has been established, organisations need to develop procedures for controlling access to the documentation and records. The procedures should specify who is allowed to access the documentation and records and how they are allowed to access them. The procedures should also specify how the documentation and records are to be protected from unauthorised access and from damage or destruction.
  • Organisations should also develop procedures for ensuring that the documentation and records are accurate and complete. The procedures should specify how the documentation and records are to be reviewed and updated on a regular basis. The procedures should also specify how changes to the documentation and records are to be tracked and when they are to be made available to authorised users.
  • Organisations should also develop procedures for ensuring that the documentation and records are accessible to authorised users. The procedures should specify how the documentation and records are to be stored and how they are to be organised. The procedures should also specify how the documentation and records are to be retrieved when needed.
    Document and Record Control Procedure

    Who’s responsible for document control procedures?

    Document control is a critical process in any organisation that creates, uses, and stores documents. It helps to ensure that documents are accurate, up to date, and accessible to those who need them. But who is responsible for document control procedures?
    There are four key players who are typically involved in document control:

    1. The document owner
    2. The author
    3. The approver
    4. The customer or client.

    Each of these players has a different role to play in ensuring that documents are properly controlled. Let's take a closer look at each one.

    1. The Document Owner

    The document owner is the individual or organisation who creates or owns the documents in question. They are responsible for ensuring that the documents are accurate and up to date. In some cases, the document owner may also be responsible for approving changes to the documents.

    2. The Author

    The author is the individual who creates the initial draft of a document. In many cases, the author will also be responsible for making changes to the document as needed.

    3. The Approver

    The approver is the individual or organisation who has the authority to approve changes to a document. In some cases, the approver may also be responsible for reviewing and signing off on new versions of the document.

    4. The Customer or Client

    The customer or client is the individual or organisation who will be using the documents in question. They may provide feedback on the documents and may need to approve changes before they can be implemented.

    The benefits of document control and Record procedures?

    Document control and record procedures are important for managing documents and records. When used correctly, they can help organisations to control costs, improve efficiency, and avoid legal risks. Some of the benefits of document control and record procedures include:

    • Reduced costs: Document control and record procedures can help organisations to save money by reducing the amount of paper and other resources used.
    • Improved efficiency: Document control and record procedures can help to improve the efficiency of an organisation by providing clear guidelines for managing documents and records.
    • Reduced legal risks: By providing clear procedures for managing documents and records, document control and record procedures can help to reduce the legal risks associated with mismanagement of these items.


    Featured product

    Get instant access to all the ready to use and fully editable templates on our website.