Level 2 Supporting Policies
      Back to home
      1. HealthSafe Help Center
      2. HS ISO27001 Documents
      3. Level 2 Supporting Policies

      31. HealthSafe Document and Data Control Policy



      DOCUMENT AND DATA CONTROL POLICY



      Document Identification 

      HSNZ/POL/31

      Document Name

      Document and Data Control Policy

      Master Copy

      CISO

      Version Number

      1.3

      Date Of Release 

      15 Aug 2023

      Prepared By

      Eparama Tuibenau

      CISO

      Approved by

      Kevin McAfee

      Managing Director

       

      VERSION HISTORY


      Sl No

      Version No.

      Prepared by

      Approved by

      Description of Version

      Date

      Reason for Version Change

      From

      To

      1

      1.0

      -

      CISO

      MD

      First Release

      14 Apr 2020 

      No changes made

      1

      1.0

      1.1

      CISO

      MD

      Updated

      04 Aug 2021 

      Grammatical changes

      1

      1.1

      1.2

      CISO

      MD

      Reviewed

      28 Jul 2022 

      Annual review

      1

      1.2

      1.3

      CISO

      MD

      Reviewed

      15 Aug 2023

      Annual review
                     

      DOCUMENT STATUS


      Date

      Document Status

      14 Apr 2020

      Modified

      04 Aug 2021

      Reviewed

      28 Jul 2022

      Reviewed

      15 Aug 2023

      Current

      Table of Contents

      1 Purpose


      2 Scope


      3 Input


      4 Output


      5 Interacting Process


      6 Abbreviations, Acronyms and Definitions


      7 Procedure


      8 Monitoring the Process


      9 Records






      1 PURPOSE

      The type of controls over the documents of HealthSafe NZ with respective approval, version, revision, controls and implementation.


      2 SCOPE

      All documents, which are covered under the scope of ISMS Activities of HealthSafe NZ.


      3 RESPONSIBILITIES

      CISO, TL


      4 INPUT

      All the documents pertaining to HealthSafe (projects/departments) 


      5 OUTPUT

      Version Control Documents

      Document Templates 

      List of Approvals


      6 PROCEDURE

      Four tier Information Security Management System is documented by CISO to meet the ISO 27001:2013 standard requirements.

      Four tier ISO documentation is defined as:

      • Level -1: ISMS Manual,
      • Level-2 : Policies
      • Level-3: Annexes
      • Level-4: Templates/Formats/Record – Departmental.

      The preparing, approving & issuing authority for the various levels of documents is as follows.


      Level

      Description

      Preparation

      Approval

      Issuing

      Numbering System

      01

      ISMS Manual

      CISO

      MD

      CISO

      HSNZ/ISMS/01

      HSNZ – Organisation Name

      ISMS–Information Security Management System Manual

      01 – Version No.

      02

      Policies

      CISO

      MD

      CISO

      HSNZ/POL-XX

      HSNZ– Organisation Name

      POL – Policies

      XX – Serial No.

      03

      Annexes

      CISO

      MD

      CISO

      HSNZ/ANX/XX

      HSNZ – Organisation Name

      ANX - Annxrue

      XX – Serial No.

      04

      Templates

      ISMS Member

      MD

      CISO

      HR

      HSNZ/HR/T/BVR

      HSNZ – Organisation Name

      HR– Human Resource Department

      T-Template

      BVR – Background Verification Record

      Level 1: Defines the HealthSafe NZ Information Security Management System with respect to international ISO 27001:2013 standard. It also defines the scope of the company and process details and also cross references to policies.


      Level 2: Describes the policies in detail with the description of the activity.

      Level 3: Annexes

      Level 4: Templates/formats/records – Department wise.

      Documents are controlled in such a way that they are readily available, bearing at least the Version, revision dates, and Version and approval authority. CISO is responsible for generation and control of all tier documentation.

      The documents are maintained by the individual process owner as per defined retention period. 

      Documents are shared electronically to all the process owners. 

      Document is destroyed where relevant on completion of their retention period by disposition authority, which lies with originator only. Disposition authority ensures that the destroyed papers, CD, USB stick, portable hard drive are being transferred to the scrap yard & dumped into specific scrap categories because they are not allowed to burn.


      REVIEW, UPDATING AND RE-APPROVAL OF INTERNAL ORIGIN DOCUMENTS

      • All internal origin documents are reviewed and updated, as necessary to ensure ongoing suitability of such documents to the Information Security Management System. Such documents are frequently reviewed during Internal ISMS Audits and when a situation changes in the organisation. 
      • After review and subsequent updating of internal origin documents, such documents are re-approved by the relevant authority. 
      • All documents are available in the shared folder accessible by all HealthSafe employees (read only format for all relevant staff and write capability for authorised staff).  These documents including templates can only be edited by CISO unless other staff have been authorised by CISO.  
      • Amendments to all documents are approved by the authority, which have approved the original document.
      • All amendments to a document are numbered as Version1.0, 1.1, 2.0 etc where applicable. and recorded logs are kept of all amendments.
      • All revisions and amendments are detailed in every document.


      VERSION OF DOCUMENTS: 

      • Version control authority and maintenance of master copies of all documents is described in the first page of this procedure.
      • Master copy is also maintained as soft copy.
      • Record of Version is maintained on the front side of master copy.
      • The initial revision status of all documents is 01. Whenever there is any change in a particular document the revision number is incremented.
      • If hard copies are required internally, it shall be stamped as “CONTROLLED”. For others, it shall be stamped as “UNCONTROLLED”.

      CHANGE MANAGEMENT: 

      • Any employee can suggest changes in the documents. They inform the change to be made in the document to the CISO by submitting a Document Change Request Form with details of reason for change etc. CISO has the authority to make changes to the documents without raising a Document Change Request.
      • If the document is to be revised, CISO takes the approval from the respective departments and authority. CISO updates in the Master List of Documents and revises the document and places the latest version in the shared folder.
      • The logs of changes are registered against the original document to be able to trace back when required.
      • CISO communicates the changes through biweekly meetings and biweekly newsletter when relevant.
      • Any change in people, process or product, the Management Team or Staff shall inform the CISO and the CISO will update the system accordingly or induct the people accordingly.

      RECORD CONTROL

      • Relevant records are established for effective operational and ISMS system implementation and controls. A master list of template records is maintained by CISO. Master list specify the template number, description, issue date, version no, version date, classification, retention period & disposition method.
      • Each functional head/in-charge shall be responsible for maintaining the records in their function clearly specifying the code, description, responsibility, and location in which records are stored. 
      • The list of records is referred in the process procedures. Records are appropriately indexed, filed, stored, maintained and disposed after the retention period by the process owner.

      RECORD IDENTIFICATION

      • The records shall be identified through a template number. The records shall remain legible.

      RECORD STORING & RETRIEVAL

      • The records shall be stored department or process wise or by project. However, the editable logs will bear the positive identification. The records shall be maintained sequentially for easy retrieval. 
      • For example, the Human Resource department maintains all employee’s education, experience, skills, training, leave, remunerations and other employees related records.  Management Representative maintains internal audit and management review records. Department heads maintain all operational and other records as referenced in the relevant ISMS System.

      RECORD RETENTION TIME & DISPOSAL 

      • The retention period & disposal mechanism is mentioned in the Master List of Documents.  All records are maintained in a suitable environment to prevent damage or deterioration and to prevent loss. All records are stored and retained in such a way that they are readily retrievable in facilities. The retention period of records is determined & addressed in the Master List of Documents. Where contractually agreed records will be made available to the customer /or their representative for evaluation.
      • Due consideration shall be given for data/information requirements for future analysis / legal purpose while determining the retention period for each record. The department head shall be responsible for disposal (Destroy or store for legal purposes) of records.
      • Originating authority is responsible for ensuring that all the records are kept current and retention periods are followed. 

      SOFT COPY RECORDS

      • All Soft Copy Records shall be reviewed on an annual basis by the CISO to ensure they are kept up to date, unless requiring urgent change in the organisation which requires an update on the ISO documents and policies.


      7 RECORDS

      Master List of Documents