Control of Documented Information

Document ID: DPWAT-ISMS-GOV-004
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-08-18
Next review: 2027-02-01 (or on major change)

1. Purpose

Define how DP WAT creates, approves, updates, distributes, stores, retains, and disposes documented information required by the ISMS (ISO 27001:2022 clause 7.5).

2. Document repository

• Primary storage (master / controlled source): this private GitHub repository (folder DP_WAT_ISO_27001_ISMS_AND_PROCEDURES_NEW/).
• Secondary storage (controlled copy): a copy of the ISMS pack is exported to Google Drive (read-only / reference use).
• Access: read access for all relevant personnel; write access restricted to Administrators and the CISO (or delegated owners).

If there is any discrepancy between copies, the GitHub repository version is the authoritative source.

3. Identification and format

Each controlled ISMS document must include:

• Document ID
• Version
• Owner
• Approver
• Effective date
• Next review date

4. Review and approval

• New documents and material changes require approval by an Administrator.
• Minor editorial changes may be approved by the document owner if they do not change requirements.
• Reviews occur at least annually (or sooner after significant changes/incidents).

4.1 Planning ISMS changes (ISO 27001 clause 6.3)

Before making material changes to ISMS documents (policies, procedures, scope, objectives):

1. Identify the reason for the change and affected areas.
2. Assess whether the change affects risk assessments, controls, or compliance obligations.
3. Obtain approval per section 4 above.
4. Communicate the change to affected personnel (see 01.08-isms-communication.md).
5. Determine if re-training or awareness updates are needed.

5. Availability and access control

• Policies/procedures must be accessible to all personnel who need them.
• Sensitive registers/records (supplier lists, personal data, incident details) must be restricted to authorized roles.

6. Retention and disposal (baseline)

Unless otherwise required by law/contract:

• Audit evidence/records: retain for at least 3 years.
• Access change records: retain for at least 2 years.
• Incident records: retain for at least 3 years.

Disposal must be secure (delete from systems, remove access, and/or destroy physical media).