3.8 KiB
Title: Document and Records Control Standard Document ID: [STD-DOCCTRL-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CEO (Paul Hague) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]
Document and Records Control Standard
Purpose
This standard defines the minimum requirements for creating, approving, storing, changing, retaining, and retiring ISMS documents and records.
Scope
This standard applies to controlled ISMS documents and records, including policies, standards, procedures, templates, registers, audit outputs, management review records, and evidence retained to support assurance activity.
Mandatory Requirements
Controlled documents must use the approved metadata fields for title, document ID, version, status, owner, approver, classification, effective date, and review date.
Controlled documents must be stored in approved locations where version history, access control, and integrity can be managed.
Each controlled document must have a named owner responsible for accuracy, review, and proposed updates.
Changes to controlled documents must be reviewed and approved by the appropriate authority before issue, except for draft working changes that are clearly marked as draft.
Superseded versions of controlled documents must be retained or archived according to retention requirements where evidence of previous approval or historical traceability is needed.
Operational records must be complete enough to demonstrate that required activities were performed. Records must identify the relevant date, owner or contributor, and the subject of the activity.
Records that contain sensitive information must be classified and protected according to applicable handling requirements.
Review dates must be assigned to controlled documents, and overdue reviews must be tracked and resolved.
Document identifiers and filenames should remain stable unless a controlled renaming decision is made.
Implementation Guidance
BlackDice should maintain a single agreed repository or controlled set of repositories for ISMS documents and evidence. Where supporting records are held in operational systems, the document set should reference the system of record rather than duplicate evidence unnecessarily.
Document owners should avoid embedding unverifiable statements in controlled documents. Where a control is planned but not fully implemented, the document should state that clearly.
Version control tables should summarise meaningful changes without fabricating historic approvals. Draft packs may begin with a single initial entry.
For records such as risk entries, incidents, supplier reviews, and audit actions, the underlying workflow tool may be used as the system of record if retention, access control, and auditability are adequate.
Roles and Responsibilities
- The standard owner must maintain this standard and define control expectations.
- Document owners must ensure that controlled documents are accurate, reviewed, and appropriately approved.
- Record owners must ensure records are created, retained, and protected in line with this standard.
- Approvers must confirm that documents are suitable before issue.
- Personnel creating records must ensure entries are timely, factual, and complete.
Exceptions
Exceptions to this standard must be documented, justified, risk-assessed where appropriate, and approved through the defined exception management process.
Related Documents
- ISMS Manual
- Information Security Policy
- Statement of Applicability Template
- Information Security Objectives Template
- Security Exceptions Register Template
Version Control
| Version | Date | Description of Change | Author |
|---|---|---|---|
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |