Document Management for ISO 27001 and BS 25999-2

Friday, May 28, 2010

Dejan Kosutic


Why is it that ISO 27001 and BS 25999-2 put such an emphasis on the control of documents? Both standards define very strictly how the documents must be managed, and require that the organization must have a documented procedure for managing documents – even worse, you won’t get certified unless you have such a procedure.

Documents can be in various forms – paper documents, text or spreadsheet files, video or audio files etc.

Not only must an organization manage internal documents (for example, various policies, procedures, project documentation etc.), but also external documents (for example, different types of correspondence, documentation received with equipment etc.).

In other words, managing the documents is quite a complex and comprehensive task.

So why is it important to manage those? Well, did you ever find yourself in a situation when you didn’t know where to find some important document?

Or you found out that your employees were using a wrong (older) version of a procedure? Or some employees didn’t receive an important procedure at all?

Or perhaps it wasn’t clear what was the version of this procedure? Or some confidential document was distributed to wrong people?

If you never found yourself in those problematic situations, you probably did experience this one – your procedures are simply not up-to-date.

If you don’t have a systematic approach for managing your documents, you will probably recognize yourself in some of these situations – therefore, ISO 27001 and BS 25999-2 require organizations to introduce such a systematic approach by writing down a procedure for document management.

This procedure must clearly define responsibilities for the documents – who can approve them, how they are distributed and archived, how they are kept up-to-date, which versioning system is in use, how you track changes to documents, what you do with external documents, etc.

Since document management is such an essential thing, be sure that the certification auditor will not only look for such a procedure, but also examine whether your documentation is really managed as you have defined in your document management procedure.

Introducing this procedure will probably mean that you will have to change your system for handling documents, that you will have to store documentation on your intranet or implement a more complex document management system, and that you will have to organize the archive for paper documents.

When you start implementing ISO 27001 / BS 25999-2, you start seeing the importance of writing things down, but you also see that those written things must be organized unless you want to lose control over them.

The documents are in fact the bloodstream of your management system – take good care of it if you want your system to remain healthy.

Cross-posted from


Enterprise Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.