Data Protection lawyers with 50+ years of experience

Free initial consultation
/insights

Updated Thursday, March 6, 2025

Updated Thursday, March 6, 2025

Documentation in ISO-Managementsystems

Documentation plays a crucial role in Information security management systems (ISMS) according to ISO 27001 and Data protection management systems (DSMS) according to the GDPR. It serves as proof of the system's effectiveness and ensures that all security- and data protection-relevant processes are traceable.

Steffen Groß

Partner (Attorney-at-law)

1. Accurate labeling of documents
2. Document control
3. Policy documents and evidence documents
4. Practical examples of documentation
5. Conclusion and best practices

Get assistance from our lawyers

Data Protection compliance can be complicated. Let our experienced team simplify it for you.

Free initial consultation
Introduction

Documentation plays a crucial role in Information Security Management Systems (ISMS) according to ISO 27001 and Data Protection Management Systems (DSMS) under GDPR. It serves as evidence of the effectiveness of the system and ensures that all security and data protection-related processes are traceable.

While ISO 27001 (for ISMS) and GDPR along with ISO 27701 (for DSMS) contain general documentation requirements, they do not provide explicit guidelines on how documentation should be structured and controlled. In contrast, ISO 9001:2015 provides comprehensive requirements for document management in Quality Management Systems (QMS). Organizations operating an ISMS or DSMS can thus benefit from the best practices outlined in ISO 9001:2015 to ensure clear and structured document management.

ISO 9001:2015 provides documentation requirements in various sections that can be applied to ISMS and DSMS:

  • ISO 9001:2015, Section 7.5: Requirements for the control of documented information
  • ISO 9001:2015, Section 4.4: Documentation of processes and their interactions
  • ISO 9001:2015, Section 8.1: Operational control of documented information
  • ISO 9001:2015, Section 9.1.1: Requirements for performance monitoring documents

These principles can also be applied to ISMS and DSMS, with special requirements for security and privacy documents.


1. Accurate labeling of documents

Every documented procedure must be clearly identifiable. This ensures correct versioning and tracking. The following information should be included:

  • Title and document number: Facilitates identification and management
  • Creator and responsible party: Clear assignment of responsibility
  • Date of creation and last revision: Ensure traceability
  • Version number/revision level: Understand the change history
  • Approval by authorized person: Ensure that only verified documents are used
  • Scope of validity and distribution: Define who has access and where the document is provided

The requirements of ISO 9001:2015 (section 7.5.2) for document identification also apply to security and data protection management systems.


2. Document control

Documents in the ISMS and DSMS must be controlled to prevent unauthorized changes and uncontrolled distribution. Control includes:

Access control: Documents must be protected against unauthorized access (ISO 9001:2015, 7.5.3.2).
Change management: Every change to a security or data protection document must be traceable (ISO 9001:2015, 7.5.2 and 7.5.3.2).
Archiving and retention: Security and data protection documents are subject to legal retention periods and must be stored securely (ISO 9001:2015, 7.5.3.1).

The control of documented information is a central component of a functioning ISMS and DSMS, since uncontrolled documentation poses risks to information security and data protection.


3. Policy documents and evidence documents

ISMS and DSMS distinguish between policy documents (documented procedures) and evidence documents (audit logs, risk assessments).

Policy documents (ISO 9001:2015, 4.4.2, 8.1)

  • Guidelines (e.g. information security policy, data protection guidelines)
  • Process descriptions (e.g. incident management, access management)
  • Work instructions (e.g. creation and management of encryption keys)
  • Checklists and forms (e.g. data protection impact assessment)

Verification documents (ISO 9001:2015, 9.1.1, 9.3.2)

  • Risk assessments and analyses
  • Audit reports (e.g. internal audits according to ISO 27001, GDPR audits)
  • Training certificates for employees in the field of data protection and IT security
  • Protocols for security-related incidents and their resolution

These documents must be managed in accordance with the control requirements.


4. Practical examples of documentation

Example process description: Response to data protection incident

Process: Handling of data protection incidents
Purpose: To ensure that all data protection incidents are quickly detected, documented and processed in accordance with GDPR requirements.
Scope: All personal data and data processing systems within the company.
Process owner: Data Protection Officer
Process flow:

  1. Recording: Incident is documented in the data protection incident register.
  2. Initial analysis: Data protection team assesses the incident and checks for reporting requirement according to Art. 33 GDPR.
  3. Measures: Immediate measures to contain the incident are implemented and documented.
  4. Reporting: In the case of reportable incidents, the supervisory authority is notified within 72 hours.
  5. Information for those affected: In the case of high risk, the persons affected are informed in accordance with Art. 34 GDPR.
  6. Follow-up: Lessons learned are recorded and preventive measures are defined.

Change log

DocumentOld versionNew versionChangeDateApproved by
IT security guideline1.01.1Update of password guidelines01.06.2023IT security officer
Data protection impact assessment2.02.1Adaptation to new GDPR requirements15.07.2023Data protection officer

5. Conclusion and best practices

Documentation is an essential part of a functioning ISMS and DSMS. Key best practices include:

  • Automation through software and document management systems (DMS) to facilitate versioning and access control.
  • Training for employees to ensure the correct handling of security and privacy-related documents.
  • Regular review and updates to ensure documentation remains current and compliant.

By applying ISO 9001 documentation requirements to ISMS and DSMS, organizations can ensure that their information security and privacy documents are managed efficiently.

Legal advice

Simpliant Legal - Wittig, Bressner, Groß Rechtsanwälte Partnerschaftsgesellschaft mbB

Consulting

Simpliant GmbH

Technology

Simpliant Technologies GmbH

Data protection

We will support you in implementing all data protection requirements with the GDPR.

Information security

We support you in setting up a holistic ISMS such as ISO 27001.

Artificial intelligence

We advise you on the integration of AI and develop legally compliant usage concepts.


© 2019 - 2025 Simpliant