Introduction
Documentation plays a crucial role in Information Security Management Systems (ISMS) according to ISO 27001 and Data Protection Management Systems (DSMS) under GDPR. It serves as evidence of the effectiveness of the system and ensures that all security and data protection-related processes are traceable.
While ISO 27001 (for ISMS) and GDPR along with ISO 27701 (for DSMS) contain general documentation requirements, they do not provide explicit guidelines on how documentation should be structured and controlled. In contrast, ISO 9001:2015 provides comprehensive requirements for document management in Quality Management Systems (QMS). Organizations operating an ISMS or DSMS can thus benefit from the best practices outlined in ISO 9001:2015 to ensure clear and structured document management.
ISO 9001:2015 provides documentation requirements in various sections that can be applied to ISMS and DSMS:
- ISO 9001:2015, Section 7.5: Requirements for the control of documented information
- ISO 9001:2015, Section 4.4: Documentation of processes and their interactions
- ISO 9001:2015, Section 8.1: Operational control of documented information
- ISO 9001:2015, Section 9.1.1: Requirements for performance monitoring documents
These principles can also be applied to ISMS and DSMS, with special requirements for security and privacy documents.
1. Accurate labeling of documents
Every documented procedure must be clearly identifiable. This ensures correct versioning and tracking. The following information should be included:
- Title and document number: Facilitates identification and management
- Creator and responsible party: Clear assignment of responsibility
- Date of creation and last revision: Ensure traceability
- Version number/revision level: Understand the change history
- Approval by authorized person: Ensure that only verified documents are used
- Scope of validity and distribution: Define who has access and where the document is provided
The requirements of ISO 9001:2015 (section 7.5.2) for document identification also apply to security and data protection management systems.
2. Document control
Documents in the ISMS and DSMS must be controlled to prevent unauthorized changes and uncontrolled distribution. Control includes:
Access control: Documents must be protected against unauthorized access (ISO 9001:2015, 7.5.3.2).
Change management: Every change to a security or data protection document must be traceable (ISO 9001:2015, 7.5.2 and 7.5.3.2).
Archiving and retention: Security and data protection documents are subject to legal retention periods and must be stored securely (ISO 9001:2015, 7.5.3.1).
The control of documented information is a central component of a functioning ISMS and DSMS, since uncontrolled documentation poses risks to information security and data protection.
3. Policy documents and evidence documents
ISMS and DSMS distinguish between policy documents (documented procedures) and evidence documents (audit logs, risk assessments).
Policy documents (ISO 9001:2015, 4.4.2, 8.1)
- Guidelines (e.g. information security policy, data protection guidelines)
- Process descriptions (e.g. incident management, access management)
- Work instructions (e.g. creation and management of encryption keys)
- Checklists and forms (e.g. data protection impact assessment)
Verification documents (ISO 9001:2015, 9.1.1, 9.3.2)
- Risk assessments and analyses
- Audit reports (e.g. internal audits according to ISO 27001, GDPR audits)
- Training certificates for employees in the field of data protection and IT security
- Protocols for security-related incidents and their resolution
These documents must be managed in accordance with the control requirements.
4. Practical examples of documentation
Example process description: Response to data protection incident
Process: Handling of data protection incidents
Purpose: To ensure that all data protection incidents are quickly detected, documented and processed in accordance with GDPR requirements.
Scope: All personal data and data processing systems within the company.
Process owner: Data Protection Officer
Process flow:
- Recording: Incident is documented in the data protection incident register.
- Initial analysis: Data protection team assesses the incident and checks for reporting requirement according to Art. 33 GDPR.
- Measures: Immediate measures to contain the incident are implemented and documented.
- Reporting: In the case of reportable incidents, the supervisory authority is notified within 72 hours.
- Information for those affected: In the case of high risk, the persons affected are informed in accordance with Art. 34 GDPR.
- Follow-up: Lessons learned are recorded and preventive measures are defined.
Change log
5. Conclusion and best practices
Documentation is an essential part of a functioning ISMS and DSMS. Key best practices include:
- Automation through software and document management systems (DMS) to facilitate versioning and access control.
- Training for employees to ensure the correct handling of security and privacy-related documents.
- Regular review and updates to ensure documentation remains current and compliant.
By applying ISO 9001 documentation requirements to ISMS and DSMS, organizations can ensure that their information security and privacy documents are managed efficiently.