{"id":4446,"date":"2014-11-24T19:02:34","date_gmt":"2014-11-24T19:02:34","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/014\/11\/24\/records-management-in-iso-27001-and-iso-22301\/"},"modified":"2024-12-21T15:08:23","modified_gmt":"2024-12-21T15:08:23","slug":"records-management-in-iso-27001-and-iso-22301","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/11\/24\/records-management-in-iso-27001-and-iso-22301\/","title":{"rendered":"Records management in ISO 27001 and ISO 22301"},"content":{"rendered":"<p>In the beginning of <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>\u00a0or <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 22301<\/a>\u00a0implementation, records might seem like one of those bureaucratic requirements of these standards with no real purpose, and that will only take up your time. However, chances are you already have many records that can be used, and the ones you\u2019ll have to introduce could be quite helpful.<\/p>\n<h2>What are records<\/h2>\n<p>ISO\/IEC 27000:2014 defines records as \u201cevidence of the results achieved\u201d \u2013 this basically means that records are produced (automatically or manually) when a certain activity is performed, and those records show what has been done. For example, if your backup is performed automatically, your back-up system will produce logs (which are also a type of records); if you have a visitor\u2019s book, logging names into this book is a record.<\/p>\n<p>All the ISO management standards like <a href=\"https:\/\/staging.advisera.com\/9001academy\/what-is-iso-9001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 9001<\/a>, <a href=\"https:\/\/staging.advisera.com\/14001academy\/what-is-iso-14001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 14001<\/a>, <a href=\"https:\/\/staging.advisera.com\/20000academy\/what-is-iso-20000\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 20000<\/a>, etc. have the same requirements for managing records\u2013 therefore, this article is applicable to all these standards.<\/p>\n<p>To makes things a bit more complicated, the new ISO 27001:2013 and ISO 22301:2012 standards speak about records only in the context of <em>documented information<\/em> \u2013 documented information is nothing else but records and documents (i.e., policies, procedures, plans, and other similar documents) merged into a single term. This has been done because management of documents and records is basically the same, and in some cases the documents are also the records at the same time.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Examples of records<\/h2>\n<p>Below are a couple of records divided by the way they are created:<\/p>\n<p><strong>Automatically<\/strong> created records:<\/p>\n<ul>\n<li>logs created within information systems<\/li>\n<li>reports created from the information systems<\/li>\n<\/ul>\n<p><strong>Manually<\/strong> created records:<\/p>\n<ul>\n<li>reports where additional input was needed<\/li>\n<li>training records<\/li>\n<li>records from drills, testing, and exercising<\/li>\n<li>meeting minutes<\/li>\n<li>corrective actions<\/li>\n<li>asset inventories<\/li>\n<li>checklists<\/li>\n<li>to-do lists<\/li>\n<li>change history within documents<\/li>\n<li>post-incident review results<\/li>\n<li>visitors log book<\/li>\n<\/ul>\n<p>Of course, records can be in paper, digital, or some other form \u2013 some records are still predominantly in paper form (e.g., a signed NDA), but the general trend is, of course, to have digital records.<\/p>\n<p>Here you\u2019ll find a list of all mandatory records according to these two standards: <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/list-of-mandatory-documents-required-by-iso-27001-revision\/\/\" target=\"_blank\" rel=\"noopener\">List of mandatory documents required by ISO 27001<\/a>\u00a0and <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/mandatory-documents-required-by-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">Mandatory documents required by ISO 22301<\/a>\u00a0\u2013 this is the minimum you need to maintain if you want to comply with these two standards, and other records are necessary if you want to prove you performed certain activities.<\/p>\n<h2>Requirements for controlling the records<\/h2>\n<p>Requirements for records management (management of documented information) are almost the same in ISO 27001 and ISO 22301 \u2013 here is what these two standards require for the control of records:<\/p>\n<ul>\n<li><strong>Distribution, access, retrieval, and use<\/strong> \u2013 basically, you need to define who has the right to access the records (e.g., by job title) and for what purpose (e.g., read-only).<\/li>\n<li><strong>Storage and preservation<\/strong> \u2013 where the records will be archived (e.g., which computer, which facility), how they will be protected from unauthorized access (e.g., access control, encryption, etc.), and how to preserve their legibility (how to ensure the information is readable even if media became obsolete \u2013 e.g., what to do with old VHS video tapes).<\/li>\n<li><strong>Control of changes<\/strong> \u2013 if you edit a particular record (e.g., a report), you need to assign a new version number each time.<\/li>\n<li><strong>Retention and disposition<\/strong> \u2013 how long will a particular record be kept (e.g., 5 years) and how will you destroy such a record (e.g., overwriting digital records, or destroying paper documents in a shredder).<\/li>\n<\/ul>\n<p style=\"padding-top: 20px;\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-22546\" src=\"\/wp-content\/uploads\/\/sites\/5\/2014\/11\/records-management-27001.jpg\" alt=\"ISO 27001 Records \u2013 How to manage them?\" width=\"1000\" height=\"628\" srcset=\"\/wp-content\/uploads\/sites\/5\/2014\/11\/records-management-27001.jpg 1000w, \/wp-content\/uploads\/sites\/5\/2014\/11\/records-management-27001-300x188.jpg 300w, \/wp-content\/uploads\/sites\/5\/2014\/11\/records-management-27001-768x482.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p>There are basically two ways to document these rules: (a) to write a centralized policy or a procedure that would define rules for controlling all the records in a company, or (b) to define the rules in different policies and procedures separately for each type of record. For example, approach (b) could be a Backup procedure that would define rules for all the 4 above-mentioned bullets specifically for backup logs.<\/p>\n<p>Personally, I think that approach (a) is possible only if there are very few types of records in a company \u2013 e.g., if it is a very small company, or if all the company records are very similar; approach (b) should be used in all other cases.<\/p>\n<h2>Why are the records important?<\/h2>\n<p>As you might have guessed, records are extremely important for the certification audit \u2013 the certification auditor will be looking for evidence that you have performed certain activities, and based on that he will make a decision regarding whether you have complied with your documentation. See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-certification\/\" target=\"_blank\" rel=\"noopener noreferrer\">Becoming ISO 27001 certified &#8211; How to prepare for certification audit<\/a>.<\/p>\n<p>But, most importantly \u2013 without records you wouldn\u2019t know what you have done and what you haven\u2019t, what\u2019s going well and what isn\u2019t. Would you be able to remember what you agreed on during each meeting in the last couple of years? Would you be able to know whether you performed all the items from your to-do list, and which ones you left for later? Would you be able to know which of your systems performed well and which did not?<\/p>\n<p>Of course you wouldn\u2019t \u2013 therefore, use those records to manage your information security, and to manage your company. Without records you\u2019re just guessing \u2013 it would be like driving a car in the middle of the night with the lights off.<\/p>\n<p><em>To implement ISO 27001 &amp; ISO 22301 easily and efficiently, use our <\/em><a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-22301-premium-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 27001 &amp; ISO 22301 Premium Documentation Toolkit<\/a><em> that provides step-by-step guidance and all documents for full ISO 27001 &amp; ISO 22301 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the beginning of ISO 27001\u00a0or ISO 22301\u00a0implementation, records might seem like one of those bureaucratic requirements of these standards with no real purpose, and that will only take up your time. However, chances are you already have many records that can be used, and the ones you\u2019ll have to introduce could be quite helpful. &#8230;<\/p>\n","protected":false},"author":26,"featured_media":22546,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[133,268,292,380,381,472,504],"class_list":["post-4446","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-9001","tag-records","tag-iso-14001","tag-iso-22301","tag-iso-27001","tag-iso-20000","tag-document-management"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4446"}],"version-history":[{"count":1,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4446\/revisions"}],"predecessor-version":[{"id":103290,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4446\/revisions\/103290"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/22546"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}