00 Procedure for Document and Record Control

1. Purpose, scope, and users

The purpose of this procedure is to ensure control over the creation, approval, distribution, usage, and updates of documents and records (also called: documented information) used in the Information Security Management System (ISMS) and for compliance with the EU GDPR.

This procedure is applied to all documents and records related to the ISMS, regardless of whether the documents and records were created inside Resolver or whether they are of external origin. This procedure encompasses all documents and records, stored in any possible form – paper, audio, video, etc.

Users of this document are all employees of Resolver inside the scope of the ISMS.

2. Reference documents

  • ISO/IEC 27001:2013 standard, clause 7.5
  • Information Security Policy
  • Corporate Data Handling Policy
  • Data Retention Policy

3. Control of internal documents

Internal documents are all documents created inside the organization.

3.1 Document formatting

The document text is written using Resolver’s official Document Templates located at https://www.resolver.com/brand/

The document header contains the organization name and confidentiality level, document name, current version, and date of the document.

Every document must also define its users and owner.

3.2 Document approval

All documents, regardless of whether they are new documents or new versions of existing documents, must be approved by CISO or COO (CFO) or VP of Talent and Culture (VP HR).

Documents are approved in the following way: approval person will approve the document via e-mail, an entry in the “Change History” of the table of the document, or through the “Policy Management” App at Resolver Core platform: https://core.resolver.com

3.3 Publishing and distributing documents; withdrawal from use

3.3.1 Documents with the lowest confidentiality level

In case of documents to which access is allowed for all employees within ISMS/GDPR scope, the Information Security Analyst must publish them on the intranet: at InfoSec Space at Confluence portal and in the shared folder in Box with reading rights only. When a new document or new document version is published, the Information Security Analyst must inform all employees listed as users of the document by e-mail. If a printed version of the document must be delivered to some employees, this is the responsibility of the Information Security Analyst.

If there is an older version of the document, the Information Security Analyst must delete it from the valid documents folder and move it to the backup folder If there are older versions of printed documents, the Information Security Analyst must collect all such documents and destroy all copies except the signed original, which must be duly stored – such originals must be marked as “Obsolete” using a marker pen.

3.3.2 Documents with the higher confidentiality level

Documents which have a higher confidentiality level, as specified in the “A.8.2 Resolver Corporate Data Handling Policy”, and of which distribution is limited, are published by the document owner on the intranet with reading rights only, in a folder to which access is granted only to persons specified on the document’s distribution list.  The document owner must send an e-mail notification about such a document to all persons on the distribution list.

If there is an older version of the document, the document owner must delete it from the valid documents folder and move it to the folder containing obsolete documents, which can be accessed only by persons specified on the document distribution list.

3.4 Document updates

The person listed as the document owner has the responsibility for updating the document. Updates are performed in line with the frequency defined for each document, but at least once a year.

All changes to the document must be made using “Track Changes,” making visible only the revisions to the previous version, and must be briefly described in the “Change History” table; if the Track changes option is unavailable, or if the changes are too numerous, then the Track changes option is not used.

Each document should preferably have a “Change History” table used to record every change made to the document.

 3.5 Records availability

All Resolver’s Information Security Management System (ISMS) documentation should be available in the company file-sharing system in PDF format and accessible from anywhere: intranet and internet protected by authentication.

The link to the shared folder published at Resolver’s Confluence page in InfoSec space.

3.6 Records control

Each internal document in the ISMS/for GDPR must define how records resulting from the use of such a document should be managed, i.e. it must specify the following: (1) record/document title, (2) storage location, (3) person responsible for storage, (4) controls for record protection and (5) retention time. For all other records, the retention time is defined through the Data Retention Policy.

Employees of the organization may access stored records only after obtaining permission from the person designated as the person responsible for storing individual records. If the sensitivity of certain records is such that permission for access must be obtained from a different person, this must be stated in the concerned internal document in the chapter describing records control.

Access and retrieval rights for records are determined by the owner of individual records. [Job title] is responsible for destroying all records of which the retention time has expired.

4. Validity and document management

This document is valid as of July 2020.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • Number of obsolete or out-of-date documents
  • Number of documents that were not distributed to intended employees
  • Number of documents for which no record is kept or which are not appropriately stored

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.