ISO 27701, Clause 5.5.5 – Documented Information

Name: ISMS.online
Telephone: +441273041140
Price range: ££
Location: ISMS.online

ISO 27701 Controls and Clauses Explained

cropped,image,of,professional,businesswoman,working,at,her,office,via

Document control is a crucial part of any privacy protection system, or indeed any broader information security policy.

Throughout its various standards, ISO recognises document management as an ongoing process that is used to demonstrate adherence both to ISO standards, and the organisation’s own privacy protection objectives.

ISO asks organisations to not merely view documented information as an administrative function, but instead use it as a recurring means to improve privacy protection adherence through the structured storage of guidelines that provide clear direction on PII-related activities.

What’s Covered in ISO 27701 Clause 5.5.5

ISO 27701 5.5.5 deals with documented information through three sub-clauses. Each deals with a different set of privacy and PII specific guidance points that link back to ISO 27001:

ISO 27701 Clause 5.5.5.1 – General (References ISO 27001 Control 7.5.1)

ISO 27701 Clause 5.5.5.2 – Creating and updating (References ISO 27001 Control 7.5.2)

ISO 27001 Clause 5.5.5.3 – Control of documented information (References ISO 27001 Control 7.5.3)

ISO 27701 5.5.5 doesn’t contain any supplementary guidance on PIMS-specific requirements, nor is it particularly relevant to any specific GDPR articles.

Jump to Topic

What’s Involved With Clause 5.5.5?
What is Clause 5.5.5.1?
What is Clause 5.5.5.2?
What is Clause 5.5.5.3?
Supporting Controls From ISO 27001 and GDPR
How ISMS.online Helps

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo

ISO 27701 Clause 5.5.5.1 – General

References ISO 27001 Control 7.5.1

The organisation’s PIMS should include documented information that:

Is required for ISO 27701 and ISO 27001 adherence;

Improves the efficiency of the PIMS and accompanying privacy protection systems.

ISO 27701 Clause 5.5.5.2 – Creating and Updating

References ISO 27001 Control 7.5.2

Throughout the process of drafting and amending documentation, organisations should:

Include a clear identifying field, with an accompanying description;

Ensure that documents are formatted correctly and are available from the appropriate sources – both physical and electronic;

Adhere to a structured amendment process that reviews documents based on their ability to convey the relevant information.

ISO 27701 Clause 5.5.5.3 – Control of Documented Information

References ISO 27001 Control 7.5.3

Organisation’s should exercise adequate levels of control and security over their internal document structure that ensures documents are:

Accessible, as and when required, by the relevant authorities and/or personnel.

Secure and protected against unauthorised use, breach of confidentiality or any other loss of data integrity;

ISO 27701 Control 5.5.5 asks organisations to consider four main activities, when exercising control over privacy protection-related documents:

Distribution (including access and use).

Storage (including document preservation).

Version controls.

Retention.

Alongside the management of internal documents, ISO asks organisations to consider how best to manage their interactions with and control of external documents that are required for the planning and implementation of a PIMS or other privacy/PII-related activities.

Supporting Controls From ISO 27001 and GDPR

ISO 27701 Clause Identifier	ISO 27701 Clause Name	ISO 27001 Requirement	Associated GDPR Articles
5.5.5.1	General	7.5.1 – General Documentation for ISO 27001	None
5.5.5.2	Creating and Updating	7.5.2 – Creating and Updating Documented Information for ISO 27001	None
5.5.5.3	Control of Documented Information	7.5.3 – Control of Documented Information for ISO 27001	None