Business organizations use documented information to train employees, for ensuring products and services produced are of consistent quality. It also provides evidence of compliance to various requirements.? As per clause 3.8.5 of ISO 9000 the minimum documented information required for achieving ISO 27001 certification is: a document can be based on magnetic, optical, electronic computer disc, a sample, a photograph or paper.
According to requirements of ISO 27001:2015, the overall documented information to be maintained and retained will depend on the risk of nonconformity inherent in the processes or activities of a particular business organization. ?Risk evaluation should include the likely impact of the risk, likelihood of non-conformity and interaction of the processes among one another as well as the type of controls required. (To maintain documented information means to have procedures, flowcharts as means of telling the methods and to retain documented information means records to be retained as evidence)
Minimum documented information to be maintained by the company is discussed below. (Based on the risk profile of the processes, products and services, more documented information may be required in many cases.)
Defining the scope of the IMS: role of ISO 27001 consultants
Scope should include details of the services, products and activities covered by Information Security Management System. If some clauses of ISO 27001 cannot be applied to the company because of the nature of the business, the justification for excluding the requirements of relevant clauses should be furnished. ISO 27001 consultants can provide guidance on defining the scope and planning for documented information to be maintained. Scope will be part of documented information
IMS and its Process requirement (Clause 4.4.2A)
Documented information must be maintained as support for operation of the processes required for the IMS. Documented information may ??cover
- determination ?of the ?processes needed for the IMS,
- process inputs, interaction? of processes? and?? their? sequence,
- how to address ?risk of non-conformity, resource availability
- process control and criteria for effective operation,
- Evaluation and improvement of processes.
QUALITY POLICY (5.2.2)
Top management must establish and maintain Quality policy for the organization, which may be maintained as documented information.
QUALITY OBJECTIVES (6.2.1)
Organization must maintain the documented info about the quality objectives
Quality objectives will be a part of product/service realization planning and include:
- What is to be achieved,
- who will achieve it,
- how to achieve it,
- What are resources required and planned?
- When will the objectives be achieved?
- How will it be measured?
Thus status of attaining of quality objectives will be part of evaluation process.
Clause 7.5 explains that documented information to be maintained as support for operation of processes.
There is need to control all the documented information, but documented procedure is not mandatory. Control may include usage as well as the access of the information.
Claus 8.5.1?? documented info for control of production processes and service provision
This is the basic Information that clarifies and defines product characteristics, and attributes of services, characteristics of activities and tasks to be performed, as well as the outputs as well as the results to be achieved.
Additional process specific documented info
Process specific documented information may be maintained separately by each process owner as support for individual activity, process or task, which could add value to IMS.
Such information could be in the form of
- Flow charts,
- Organization charts
- Task ?maps,
- process ?flow descriptions
- work ?Procedures
- purchase Specifications
- Departmental or corporate ( internal) communications
- Operation ?schedules
- Authorized vendor lists
- Test ?plans
- Detail ?inspection plans
- Quality control ?plans
- Strategic plans
- Standard Forms