The process of earning your ISO 27001 certification is a robust one, involving a great deal of documentation and recording. While it may seem tedious during the process, it is entirely necessary that records are produced accurately and managed carefully. The ISO 27001 certification is about much more than receiving a certificate. The process as a whole will significantly enhance your company’s information security management system, and this is because of the magnitude of recording required. For each step of the process, you must identify risks and apply controls, conduct performance tests, and lengthy audits, all of which ultimately improve your security systems. The recordings produced are defined as evidence of the results achieved. Essentially, this means that records are made when an activity is performed to show proof of said activity. This not only proves that action was taken and successful to the auditor, but it is also important data for your organization to understand.
To mitigate risks effectively, you must be able to determine the efficiency of your control objectives. For this reason, tests are conducted, and reports are made, logging the results of the test to use for evaluation. These results are critical in understanding if your current processes are delivering the desired results. If not, changes need to be made. Failing to manage your records properly can be detrimental to the state of your ISMS, so it is crucial that you do so correctly. Beyond the fact that managing records is a highly beneficial practice, it is also required by ISO 27001. To ensure that you understand the significance of ISMS record management, we will discuss their importance and associated ISO requirements.
What Records Do You Need?
We already know that records are the evidence of a performed activity, but that definition is not particularly helpful in determining what needs to be recorded. The ISO 27001 standard speaks only about records in the context of documented information – which essentially encompasses policies, procedures, plans, and other similar documents. The management of documents and records is essentially the same, and occasionally the documents and records themselves are the same. This is pretty vague, so we’ll get more specific.
Records are divided by the way they are created and fall into two categories; automatically created and manually created. Automatically created records include logs created within information systems and reports created from the information systems. The list of manually created records is a bit longer, including:
- Reports where additional input was needed
- Training records
- Records from drills, testing, and exercising
- Meeting minutes
- Corrective actions
- Asset inventories
- To-do lists
- Change history within documents
- Post-incident review results
- Visitors logbook
Whether created automatically or manually, records can be in paper, digital, or any other form. While some records are predominantly in paper form, particularly those of more legal significance, most organizations keep digital records. Not only is this easy to automate, share, and store, it also tends to be more secure as it can be backed up to a secure server. Regardless of the tangible state of your records, they are mandatory to maintain. Reviewing a list of mandatory documents can be helpful to managing records and ensuring that you comply with all. These documents are the minimum you need to maintain to comply with ISO 27001 standards, and others may be necessary if you want to prove that additional activities were performed.
To ensure that records are produced and managed accurately, ISO 27001 has a list of controls for ISMS record management. First and foremost is distribution, access, retrieval, and use. Similar to any document containing sensitive information, there must be set controls on access. This control requires organizations to explicitly define who (by job title) has the right to access the records and for what purpose (such as read-only). This ensures that sensitive information is available only to necessary persons, preserving the integrity of the information.
The second control outlined by ISO standards regards storage and preservationof records. You must define where the records will be archived, specifying the exact computer and facility. Additionally, you will need to record how they will be protected from unauthorized access and how to preserve their legibility. This will include the access controls or encryption protocols you have in place and how you will ensure that the information is readable even if the media becomes obsolete. With each decision you make, there are implications associated, so it is vital to be thorough. You will also be required to determine control of changes. Should you edit a particular record or report, you will need to assign a new version number each time to keep track of changes.
The final control is of retention and disposition. This will include how long a specific record will be kept and how it will be destroyed in the future. If digital, you will need to overwrite the digital record, and if paper, then shred and dispose of the document.
There are two methods of documenting these rules. One option is to write a centralized policy that defines the rules for controlling all records within the organization. This method is only possible for organizations with very few types of records in the company, which could be the case if all records are similar or the company is very small. The second method is used by most organizations and involves defining the rules in different policies and procedures separately for each type of record.
The Importance of Records
Records are mandatory for the ISO 27001 certification audit. As mentioned, they provide evidence that your organization has performed specific activities adequately. Based on these records, the external auditor will decide if you have successfully complied with all required documentation. While this is the mandatory aspect of record management, it is beneficial for more than just ISO compliance. Without these records, your company will have difficulty keeping track of what activities have been performed and what's working. Even those with the best memory will struggle to remember the results of a specific action years before. For your ISMS to be effective and efficient, you must clearly understand the processes that work and those that do not. A successful ISMS undergoes constant maintenance and monitoring, so records are essential to know how and where to make improvements. Records will significantly help you in managing your information security and thus your company. Without records, your company will be relying on guesswork, so it is crucial to recognize their importance and act accordingly.