1.

Home
2. Resources
3. Documented information vs. documents and records in ISO standards

Documented information vs.

documents and records in ISO
standards
Article by Dejan Kosutic3 min read




Many organizations implementing ISO standards find it difficult to understand the term
“documented information.” This confusion arises because the term replaces the previously used
terms “documents” and “records.” This article will explore the difference between these terms
and why introducing “documented information” was necessary for ISO standards. Additionally,
we will discuss the importance of documented information for ISO standards and its role in
performing the activities.
What is ISO documented information?
In ISO standards, documented information refers to information controlled and managed by an
organization, including policies, procedures, and records. It replaces the terms documents and
records to better reflect the evolving nature of information and its management.

Documented information vs. documents and

records in ISO standards
“Documents” and “records” are terms used in various ISO management standards, including ISO
27001 and ISO 9001. These terms refer to different types of information managed by an
organization.
Documents are used to communicate the internal rules of a company and can include:
 policies
 procedures
 manuals
  working instructions
Records are used to provide evidence of activities and results, for example:
 audit reports
 training records
 incident reports
 corrective actions

What is documented information?

In ISO standards, “documented information” refers to information controlled and managed by an
organization, including policies, procedures, and records. It replaces the terms “documents” and
“records” to better reflect the evolving nature of information and its management.

Why introduce the term “documented

information”?
If documented information only covers documents and records, why did ISO standards introduce
this term in the first place?
The introduction of “documented information” in ISO standards was necessary because it
reflects the evolving nature of information and its management more accurately. In some cases,
there is a mix of documents and records, making it challenging to differentiate between the two.
For example, let’s take a look at the Statement of Applicability (SoA):
 Listing the controls, their applicability, and justification for implementation in
the Statement of Applicability – this makes the SoA a document.
 When you add the status of each control (which changes all the time) in the
SoA – this makes the SoA also a record.
Another example is the Risk Treatment Plan, which lists the controls to be implemented,
deadlines, responsible persons, and the budget. Listing all of these things would make it a plan (a
document); however, noting down when the implementation of a particular control was
completed and what the results were makes this Risk Treatment Plan a record at the same time.

Conformio: ISO 27001 compliance software

The only solution small businesses will ever need to become and remain ISO 27001 compliant
TRY IT FOR FREE

Importance of documented information for

ISO standards
Documented information is important for ISO standards because it specifies exactly what needs
to be done and records key activities to prove compliance.
For example, in a large company, it would be very difficult to explain to employees which
backup technology to use and how to perform backup without having a Backup Policy.
If there were no backup logs, it would be almost impossible to determine whether the backup
was actually done and if it was done regularly.
The documented information, therefore, becomes the beginning and the end of your compliance
activities. But beware, without actually doing all those activities, documented information would
make no sense – therefore, what you do in the middle is the most important.
To get the templates for all mandatory documents and the most common non-mandatory
documents, along with an interactive wizard that helps you every step of the way on your
certification, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.
TagsArticlesMultiple StandardsDocumentation

Conformio: ISO 27001 compliance software

The only solution small businesses will ever need to become and remain ISO 27001 compliant
TRY IT FOR FREE

Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles,
webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium
businesses obtain the resources they need to become certified against ISO 27001 and other ISO
standards. He believes that making ISO standards easy to understand and simple to use creates a
competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.
As an ISO 27001 expert, Dejan helps companies find the best way to obtain certification by
eliminating overhead and adapting the implementation to their size and industry specifics.
READ MORE ARTICLES BY DEJAN KOSUTIC