Managing ISO Documentation – A Plain English Guide: A Step-by-Step Handbook for ISO Practitioners in Small Businesses

Managing ISO Documentation:

A Plain English Guide

Also by Dejan Kosutic:

9 Steps to Cybersecurity: The Manager’s Information Security Strategy Manual

Becoming Resilient: The Definitive Guide to ISO 22301 Implementation

ISO 27001 Risk Management in Plain English

ISO 27001 Annex A Controls in Plain English

Preparing for ISO Certification Audit: A Plain English Guide

Dejan Kosutic

Managing ISO Documentation:

A Plain English Guide

A Step-by-Step Handbook for ISO Practitioners in Small Businesses

Advisera Expert Solutions Ltd

Zagreb, Croatia

Copyright ©2017 by Dejan Kosutic

All rights reserved. No part of this book may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without written permission from the author, except for the inclusion of brief quotations in a review.

Limit of Liability / Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representation or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. This book does not contain all information available on the subject. This book has not been created to be specific to any individual’s or organization’s situation or needs. You should consult with a professional where appropriate. The author and publisher shall have no liability or responsibility to any person or entity regarding any loss or damage incurred, or alleged to have been incurred, directly or indirectly, by the information contained in this book.

First published by Advisera Expert Solutions Ltd

Zavizanska 12, 10000 Zagreb

Croatia

European Union

http://advisera.com/

ISBN: 978-953-8155-01-7

First Edition, 2017

ABOUT THE AUTHOR

Dejan Kosutic is the author of numerous articles, video tutorials, documentation templates, webinars, and courses about ISO 27001, ISO 22301 and other ISO standards. He is the author of the leading ISO 27001 & ISO 22301 Blog, and has helped various organizations including financial institutions, government agencies, and IT companies implement information security management according to these standards. He holds numerous certificates, among them ISO 27001 Lead Auditor and ISO 9001 Lead Auditor.

Click here to see his LinkedIn profile

TABLE OF CONTENTS

ABOUT THE AUTHOR

PREFACE

1 INTRODUCTION

1.1 WHY IS DOCUMENTATION IMPORTANT FOR ISO MANAGEMENT SYSTEMS?

1.2 WHO SHOULD READ THIS BOOK?

1.3 HOW TO READ THIS BOOK?

1.4 WHAT THIS BOOK IS NOT

1.5 ADDITIONAL RESOURCES

2 PREPARING TO WRITE THE DOCUMENTS

2.1 THREE OPTIONS FOR IMPLEMENTING THE STANDARD AND WRITING THE DOCUMENTATION

2.2 SEQUENCE OF WRITING THE DOCUMENTATION & RELATIONSHIP WITH PDCA CYCLE

2.3 USING TOOLS AND TEMPLATES

2.4 DECIDE ON YOUR DOCUMENTATION STRATEGY

2.5 SUCCESS FACTORS

3 HANDLING YOUR DOCUMENTS IN A MANAGEMENT SYSTEM

3.1 CONTROL OF DOCUMENTS (CLAUSE 7.5)

3.2 CONTROL OF RECORDS (CLAUSE 7.5)

3.3 BEST PRACTICES FOR DOCUMENTING ROLES AND RESPONSIBILITIES (CLAUSE 5.3)

3.4 DECIDING WHICH POLICIES AND PROCEDURES TO WRITE

3.5 WHERE TO START WITH PARTICULAR DOCUMENTS

3.6 WRITING DOCUMENTATION THAT WILL BE ACCEPTED BY THE EMPLOYEES

3.7 MAINTENANCE OF THE DOCUMENTATION (CLAUSE 7.5)

3.8 SUCCESS FACTORS

4 MINI CASE STUDY: WRITING THE SECURITY POLICIES IN MANUFACTURING COMPANY

APPENDIX A – CHECKLIST OF MANDATORY DOCUMENTATION REQUIRED BY ISO 9001:2015

APPENDIX B – CHECKLIST OF MANDATORY DOCUMENTATION REQUIRED BY ISO 14001:2015

APPENDIX C – CHECKLIST OF MANDATORY DOCUMENTATION REQUIRED BY ISO 27001:2013

APPENDIX D – CHECKLIST OF MANDATORY DOCUMENTATION REQUIRED BY ISO 22301

APPENDIX E – CHECKLIST OF MANDATORY DOCUMENTATION REQUIRED BY OHSAS 18001

APPENDIX F – STRUCTURING THE DOCUMENTATION FOR ISO 27001 ANNEX A

BIBLIOGRAPHY

PREFACE

When my book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own was published last year, very soon I realized many people were reading it because they were interested to learn how to manage the documentation.

Therefore, I have created this shorter book, a part of the handbook series, which is focused solely on the issues of how to handle policies, procedures, plans, and other documents and records. This book is not focused solely on ISO 27001 – the rules for handling documents are the same for any standard, so I have adapted this book in such a way so that it is perfectly acceptable for ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485 and IATF 16949.

This book, Managing ISO Documentation: A Plain English Guide, is actually an excerpt from the book Secure & Simple, and has been edited with only a few smaller details. So, if you compare the sections from Secure & Simple that speak about documentation, you’ll see the same sections here, with almost the same text – as I mentioned, the text was adapted in a way that it is readable from any ISO standard point of view.

So, why have two books with almost the same text? Because I wanted to provide a quick read for people who are focused solely on managing documentation, and don’t have the time (or need) to read a comprehensive book about ISO implementation, i.e., a book like Secure & Simple.

You might also be puzzled by the fact that this book is rather short, whereas there are other books on ISO documentation in the market that are much more lengthy and detailed. Is it really possible to explain such a complex subject in a short book like this? Well, there are two answers for this:

First, this book is focused on managing documents in smaller companies – therefore, I have intentionally simplified the description so that you can handle the document in an easy way, and left out all the elements that would be needed only for larger companies.

Second, and more importantly, I followed my company mission: We make complex frameworks easy to understand and simple to use. In other words, it is easy to complicate things, but it is difficult to make things easy to understand. So, when you start reading this book you’ll notice I eliminated all the hard-to-understand talk, all the unnecessary details, and focused on what exactly needs to be done, in a language understandable for beginners with no prior experience in implementing ISO standard.

So, rest assured: if you are a smaller organization, by using this book you will be able to manage