Professional Documents
Culture Documents
Procedure For Document and Record Control
Procedure For Document and Record Control
CONTROL
Created by: Ahmad Nawaz
Approved
Ahmad Nawaz
by:
Change history
Date Version Created by Description of change
January 1, Ahmad
V0.1 New status: in progress. Comment: /
2022 Nawaz
January 1, Ahmad
V0.1 New status: in approval. Comment: /
2022 Nawaz
January 1, Ahmad
V1 New status: approved. Comment: /
2022 Nawaz
1. Purpose, scope and users
The purpose of this procedure is to ensure control over the creation, approval, distribution, usage,
and updates of documents and records (also called: documented information) used in the
Information Security Management System (ISMS).
This procedure is applied to all documents and records related to the ISMS, regardless of whether
the documents and records were created inside {CCC-Name} or whether they are of external origin.
This procedure encompasses all documents and records, stored in any possible form – paper,
audio, video, etc.
Users of this document are all employees of {CCC-Name} inside the scope of the ISMS.
2. Reference documents
ISO/IEC 27001 standard, clause 7.5
Information Security Policy
Register of legal, contractual and other requirements
pre-defined formatting when creating a document through Conformio wizard: when creating a
document manually, font to be used is Calibri size 11, chapter titles are written using font size 14
bold, level 2 chapter titles are written in font size 12 bold, and level 3 chapter titles are written in font
size 11 bold italic
The document header contains the organization's logo and the confidentiality level. The footer
contains the document name, current version and date of the document, and number of pages.
All documents, regardless of whether they are new documents or new versions of existing
documents, must be approved by the Head of IT department.
Documents are approved in the following way: the Head of IT department will approve the document
through the approval process available on the Conformio platform.
Some documents may require review before approval by one or more designated reviewers who
have an interest in, or competence about, the document content.
When a new document or new document version is published, the Document Controller will
automatically inform all employees listed as users of the document by email. If a printed version of
the document must be delivered to some employees, this is the responsibility of the owner of that
particular document.
If there is an older version of the document, the Document Controller will remove it from the valid
documents and display it in the archive. If there are older versions of printed documents, the owner
of a particular document must collect all such documents and destroy all copies except the signed
original, which must be duly stored – such originals must be marked as "Obsolete" using a marker
pen.
Documents that have a higher confidentiality level, for which the distribution needs to be limited, are
published by the document owner on the Document Controller with reading rights only, with access
granted only to persons specified on the document's distribution list. The Document Controller will
automatically send an email notification about such a document to all persons on the distribution list.
If there is an older version of the document, the Document Controller will remove it from the valid
documents and display it in the archive, which can be accessed only by persons specified on the
document distribution list.
All changes to the document must be described briefly in the "Change History" table.
Each internal document in the ISMS must define how records resulting from the use of such a
document should be managed; i.e., it must specify the following: (1) record title, (2) storage location,
(3) person responsible for storage, (4) controls for record protection, and (5) retention time.
Employees of the organization may access stored records only after obtaining permission from the
person designated as the person responsible for storing individual records. If the sensitivity of certain
records is such that permission for access must be obtained from a different person, this must be
stated in the concerned internal document in the chapter describing records control.
Access and retrieval rights for records are determined by the owners of individual records. The Head
of IT department is responsible for destroying all records for which the retention time has expired.
The person who receives such external documents through regular mail or as courier parcels must
forward them to the Head of administration, who must make a record in the Register of external
correspondence; the person who receives such emails must forward them to the Head of HR
department, who must also record them in the Register of external correspondence and then
determine to whom the document should be forwarded.
Person
Controls for record Retention
Record name Storage location responsible
protection time
for storage
Only Head of
compliance
department has the
Records are
Register of Head of right to make
stored for a
external C:\Users\anawa\Dropbox\27001 compliance changes to and add
period of 3
correspondence department entries into
years.
the Register of
external
correspondence.
The owner of this document is the head of compliance, who must check and, if necessary, update
the document at least every 6 months.