What is ISO 27001:2022 Clause 7.5?
ISO 27001:2022 Clause 7.5 revolves around the management of documented information within an organisation's information security management system (ISMS). Documented information is the lifeblood of any ISMS, as it encapsulates policies, procedures, and records essential details for securing sensitive data and maintaining the ISMS's effectiveness.
This clause states that the documented information should be:
Identified and described: Documented information must be clearly identified and described, including attributes like title, date, author, or reference number.
Formatted and media: Organisations must define the format (e.g., language, software version, graphics) and media (e.g., paper, electronic) for their documented information.
Reviewed and approved for suitability and adequacy: All documented information must undergo a rigorous review and approval process to ensure its suitability and adequacy.
Controlled: The control of documented information is pivotal. It involves ensuring that this information is readily available when needed and adequately protected against confidentiality breaches, improper use, or integrity loss. This includes activities like distribution, access, storage, preservation, version control, and retention.