Creating and updating

It is the clause that sets the rules for how ISMS documents are generated and modified, ensuring they are identifiable, properly formatted, and approved for quality before use.

You follow a standard process: Draft the content using an approved template, assign identification details (title/version), submit it for review, and obtain formal approval from a relevant authority. Tools like WatchDog Security's Policy Management can help enforce templates, route reviews to SMEs, and retain an approval trail for audits.

Documents must have attributes that distinguish them, typically including a unique title, date of issue, author or owner, version number, and reference number if applicable.

They should be formatted for usability and readability, considering the language of the workforce, software compatibility (e.g., PDF vs Word), and accessible media (electronic or paper).

It is the workflow where a document is checked by a competent person (Review) to ensure it is accurate and then authorized by management (Approval) to confirm it is ready for implementation. WatchDog Security's Policy Management can record reviewers/approvers, timestamps, and the approved version so you can demonstrate suitability and adequacy.

Suitability means the document fits its purpose; adequacy means it is complete. This is ensured through peer reviews, subject matter expert checks, and testing procedures before approval.

Beyond the content itself, you must include metadata such as the document title, version, date, author, and approval status to meet the identification requirements.

While the standard doesn't set a universal frequency, best practice is to review documents at planned intervals (e.g., annually) or whenever significant changes occur to the organization or technology.

A common failure mode is having policies in multiple places with inconsistent metadata, unclear approvers, and no reliable audit trail. WatchDog Security's Policy Management helps standardize templates, capture required headers (version/owner/approver), and track review and acceptance so you can prove the document was approved before release and that staff acknowledged the current version.

Obsolete documents usually persist when there is no single source of truth and no controlled publishing workflow. WatchDog Security's Compliance Center can centralize the 'current' version as evidence, flag gaps where approval metadata is missing, and keep an audit-ready trail of updates so reviewers can confirm only approved, up-to-date documents are referenced during audits.