Skip to content
27kay27kay

ISO 27001 Clause 7.5.3: Document Control

(updated: ) · 7 min read · 27kay
ISO 27001ISMScompliance

Clause 7.5.3 requires your organization to control documented information so that it is available when needed, adequately protected, and properly managed throughout its lifecycle. This is the third part of the documentation trilogy - Clause 7.5.1 defines what you need, Clause 7.5.2 covers how you create and update it, and 7.5.3 ensures it stays accessible, secure, and current over time.

What the clause requires

ISO 27001:2022 Clause 7.5.3 states that documented information required by the ISMS shall be controlled to ensure:

  • a) It is available and suitable for use, where and when it is needed
  • b) It is adequately protected (from loss of confidentiality, improper use, or loss of integrity)

For the control of documented information, the organization shall address the following activities, as applicable:

  • Distribution, access, retrieval, and use
  • Storage and preservation (including preservation of legibility)
  • Control of changes (e.g., version control)
  • Retention and disposition

The clause also applies to documented information of external origin - standards, regulatory documents, customer contracts, or supplier certifications that the organization uses within the ISMS.

How to implement document control

Access and distribution

Not everyone in the organization needs access to every ISMS document. The security policy should be available to all employees. Risk assessment results and treatment plans may be limited to leadership, the ISMS manager, and risk owners. Audit reports might be restricted to the audit team and top management.

For a small SaaS company using a cloud platform, practical access control looks like:

  • Shared folders with role-based permissions - a “Policies” folder accessible to all employees (read-only), a “Risk Management” folder limited to the ISMS manager and risk owners, an “Audit” folder for leadership
  • Edit permissions controlled - most employees get read access to policies; only the document owner and ISMS manager can edit
  • External sharing disabled by default - ISMS documents should not leave the organization without explicit authorization

If you use Confluence, Notion, SharePoint, or a GRC platform like Vanta or Eramba, these tools have built-in access controls. Use them. The goal is that people can find the documents they need, but cannot access or modify documents outside their role.

Storage and preservation

ISMS documents need to be stored somewhere reliable, accessible, and protected. For most organizations today, this means a cloud-based platform with:

  • Backup and redundancy - the platform should handle this automatically (Google Workspace, Microsoft 365, Confluence Cloud all do)
  • Preservation of legibility - documents should remain readable over time. Avoid obscure file formats that may become inaccessible. Standard formats like PDF, Word, or the native format of your collaboration platform work fine.
  • Single source of truth - all ISMS documents should live in one place. If policies are split across Google Drive, a wiki, local hard drives, and email attachments, document control breaks down.
  • Search and retrieval - people should be able to find documents easily. Consistent naming conventions (established under Clause 7.5.2) and a logical folder structure make this possible.

For a 20-person organization, a well-organized shared drive or compliance platform is usually sufficient. You do not need a dedicated document management system unless the organization’s size or regulatory requirements justify one.

Version control and change management

When documents change, the old version should not remain in circulation alongside the new one. Practical version control includes:

  • Clear version numbering on each document (v1.0, v1.1, v2.0)
  • Archive or remove superseded versions - either move old versions to an archive folder with restricted access, or delete them entirely if retention is not required
  • Change log - a brief record of what changed, when, and why. This can be a section within the document itself or a separate log.
  • Notification of changes - when a key policy or procedure updates, affected staff need to know. This connects to your communication plan under Clause 7.4.

Most collaboration platforms (Google Docs, Confluence, SharePoint) maintain version history automatically. This helps, but does not replace a clear “current version” indicator - a version number in the document header or metadata.

Retention and disposition

Some ISMS documents need to be kept for a defined period. Others can be disposed of when no longer needed. Your retention approach should cover:

  • Minimum retention periods - audit records, risk assessment results, management review minutes, and corrective action records should be retained for at least your certification cycle (typically three years). Regulatory requirements (GDPR, NIS2) may impose longer periods for specific records.
  • Retention beyond the minimum - some organizations keep historical risk assessments and audit results longer to demonstrate trends and improvement. Not required, but valuable during surveillance audits.
  • Secure disposal - when documents reach the end of their retention period and are no longer needed, dispose of them securely. For electronic documents, this means permanent deletion (not just moving to trash). For physical documents, shredding or secure destruction.

Document your retention periods in a retention schedule - a simple table listing document types and their minimum retention periods. This becomes part of your ISMS documentation.

External documents

The clause also covers documented information of external origin that the organization determines is necessary for the ISMS. Common examples include:

  • The ISO 27001 standard itself
  • Regulatory texts (GDPR, NIS2)
  • Customer contractual requirements
  • Supplier certifications and audit reports
  • Industry guidelines or sector-specific standards

External documents need to be identified, available to the people who need them, and kept current. When a regulation updates or a supplier renews their certification, your system should reflect that.

Connecting 7.5.3 to the rest of your ISMS

Clause 7.5.1 connection. Clause 7.5.1 defines what documentation your ISMS needs. Clause 7.5.3 ensures that documentation remains controlled throughout its lifecycle.

Clause 7.5.2 connection. Clause 7.5.2 covers creation and updating. When a document is updated under 7.5.2, the version control and distribution requirements of 7.5.3 apply - the new version replaces the old, and affected parties are informed.

Clause 9.2 connection. Internal auditors check document control as part of nearly every audit. If documents are inaccessible, outdated, or uncontrolled, that is a 7.5.3 finding.

Annex A control A.5.33. The Annex A control on protection of records aligns directly with 7.5.3. Records must be protected from loss, destruction, falsification, unauthorized access, and unauthorized release.

What auditors check

Document accessibility. Auditors ask employees to locate specific documents - the security policy, the incident response procedure, the risk treatment plan. If people cannot find them quickly, document control is not working.

Version currency. Auditors check whether the documents people reference are the current versions. Finding an employee working from a two-year-old version of a procedure while a newer version exists somewhere else is a classic finding.

Access controls. Auditors verify that sensitive documents (risk assessments, audit reports, vulnerability scan results) are not accessible to everyone. They also check that documents intended for all employees (the security policy) are actually accessible to them.

Retention evidence. Auditors check whether historical records exist - previous risk assessments, earlier audit reports, past management review minutes. If these have been deleted or cannot be found, it raises questions about the organization’s records management.

External document management. Auditors ask which version of regulatory or contractual requirements the organization is working from. If you reference GDPR requirements but are using a pre-2018 interpretation, that is a gap.

Common mistakes to avoid

No single source of truth. The most common issue. ISMS documents scattered across multiple platforms - some in Google Drive, some in Confluence, some attached to emails, some on local laptops. Consolidate into one platform and direct everyone there.

Access controls that are too open or too tight. Making everything accessible eliminates confidentiality. Making everything restricted means people cannot find what they need. Match access to roles - policies broadly accessible, sensitive records restricted.

No disposal process. Organizations often think about creating and storing documents but forget about disposing of them. Outdated documents that remain indefinitely create confusion and potential compliance issues. Define retention periods and actually follow them.

Treating version control as optional. Without version control, it is impossible to tell which document is current. When two versions of a policy contain conflicting information and neither has a version number, auditors cannot determine what the organization’s actual position is.

Ignoring external documents. Many organizations control internal documents well but have no process for tracking regulatory updates, customer contract changes, or supplier certification renewals. These gaps lead to the ISMS operating against outdated requirements.

How 27kay can help

We help organizations set up document control processes that satisfy auditors without creating unnecessary overhead. As part of ISO 27001 implementation, we establish the folder structure, access controls, naming conventions, retention schedules, and version control workflow - tailored to the platforms your team already uses. For the full picture, see our ISO 27001 knowledge hub.

Not sure whether your document control is audit-ready? Get in touch - we will review your setup and identify the gaps before your auditor does.