Documentation and Records Management for ISO Certification

Documentation and records management is at the heart of many certification and compliance programs today. It’s also just good business practice. According to a widely cited study by Information Week, between 3% and 5% of an organization’s files are lost or misplaced at any given time, and the average cost of recreating a document is $180. The result is that a company with 1 million files could be losing as much as $5 million per year due to lost records alone!

In a previous article, we outlined what ISO certification is and the benefits for companies. In this article, we look more closely at the documentation and records management requirements.

Note: Several ISO standards mandate documentation and records management (there’s even an entire standard dedicated to it). While our focus here is on the ISO/IEC 27000 series on information security, much of the information is relevant across other standards as well.

Documentation and records: Definitions

The recordkeeping requirements of ISO/IEC 27000:2016 focus on “documented information,” which is “information required to be controlled and maintained by an organization and the medium on which it is contained.” There are three main components of documented information:

  • Documentation: information created in order for the organization to operate
  • Records: evidence of results achieved
  • The management system, including related processes

So, documentation includes things like visitor policies and risk assessment procedures, while records are evidence that these policies and procedures have been carried out. For example, these things are all types of records:

  • Incident reports
  • HR records
  • Training records
  • Audit reports
  • And, of course, visitor logs

How should documentation and records be managed?

A complete discussion of documentation and records management under ISO standards is beyond the scope of this article. What we can do is give you an overview of kinds of questions an auditor might seek answers to when assessing your company for ISO certification.

  • Who has access to what records and what kind of access do they have?
  • Where are records stored and how are they protected?
  • How is version control handled?
  • How long are records stored and how are they disposed of?

Why is a visitor management system important?

ISO certification doesn’t require you to use a visitor management system. However, if you keep visitor logs, then those logs are considered records and they must meet the documented information requirements. A visitor management system helps you achieve this goal in several ways:

  • Ensuring your records are complete and accurate
  • Securing your visitor log so that only designated people have access to it
  • Providing visitor log exports so you can generate reports on-demand

In her article introducing the new general records management standard, Elizabeth Gasiorowski-Denis wrote:

“How we make and keep records today can have far-reaching consequences – think about records of our climate, or buildings and other infrastructure that depend on records to be maintained. There is no sector or part of society that cannot afford to pay attention to the making and keeping of records, especially in the age of digital disruption and change that we live in.”

At The Receptionist, we’re committed to helping you tame one part of the recordkeeping madness by providing you with a simple, efficient way to track visitors in and out of your office. Sign up for your free trial today.

Share this Post