ISO 27001:2022 Clause 7.5: Documented Information

ISO27001-2022 Clause 7.5 Documented Information

The Definitive Governance Requirement.

Clause 7.5 mandates that you create, update, and control the documented information required by the standard and necessary for the effectiveness of your ISMS. In the eyes of the law—and the auditor—if it is not written down, it did not happen. Document control is the difference between a rumor and a record.

The Mandate

The standard moved away from the terms “Documents” and “Records” to the singular “Documented Information,” but the obligation remains absolute. You must control the lifecycle of every piece of data that supports your certification.

You are legally required to manage three dimensions:

  1. Creation & Updating (7.5.2): Every document must have identification (Title, Date, Author), appropriate format, and—crucially—evidence of review and approval for suitability.
  2. Control of Information (7.5.3): You must ensure the information is available where needed (Availability) and protected from loss or tampering (Confidentiality/Integrity).
  3. Retention & Disposition: You must define how long you keep it and how you destroy it. You cannot hoard data indefinitely “just in case.”

The Verdict: A policy saved as Final_Policy_v3_REAL_FINAL.docx on a desktop is not documented information. It is a liability. You need a Single Source of Truth.

The Implementation Strategy

Do not over-complicate this with expensive software, but do not rely on chaos. You need a Governance Header on every policy.

  1. The Identification Standard: Every policy must have a header containing:
    • Document Title & ID (e.g., ISMS-POL-01).
    • Version Number (e.g., v1.0).
    • Classification (e.g., Public / Internal).
    • Owner (Role, not name).
    • Approval Date.
  2. The “Read-Only” Rule: Policies published to the staff must be in read-only format (PDF). Only the Document Owner should have write access to the source file.
  3. The Retention Schedule: Define the lifespan. Logs = 1 year? Management Minutes = 3 years? Contracts = 7 years? Write it down and automate the deletion.
  4. External Documents: You must identify and control documents of external origin (e.g., Customer Contracts, Supplier Manuals).

The Auditor’s Trap

[The Auditor’s View] The most common Major Non-Conformance here is “The Zombie Document.” I frequently find a printed copy of the “Access Control Policy v1.0” taped to a server room door, while the Intranet lists “v2.0” as current. If you print a document, it becomes uncontrolled the moment it leaves the printer. Uncontrolled documents lead to uncontrolled behavior.

Required Evidence

An auditor inspects the metadata as much as the content.

  • Master Document Register: A central index listing every policy, its current version, and its owner.
  • Version Control History: A table at the bottom of policies showing what changed, when, and who approved it.
  • Access Control Lists (ACLs): Evidence that only authorized personnel can edit the master documents.
  • Retention Policy: The rules for data destruction.

Strategic Acceleration

Building a document control system from scratch is administrative suicide. You will miss a version number, and you will be failed for it.

The Document Control Framework provides the pre-formatted headers, the Master Register, and the Retention Schedules. It ensures that every document you produce is audit-ready the moment you save it.

The Next Move: Deploy the Document Control Framework