Module 4: Compliance & Certification

Documentation Requirements

15 min
+50 XP

Documentation Requirements for ISO 27018

Comprehensive documentation is essential for ISO 27018 certification. This lesson covers all required policies, procedures, and records.

Documentation Structure

Level 1: Policies (Strategic)

High-level statements of intent and commitment

Level 2: Procedures (Tactical)

Step-by-step instructions for implementing policies

Level 3: Work Instructions (Operational)

Detailed tasks and forms

Level 4: Records (Evidence)

Proof of implementation and compliance

Required ISO 27018 Documentation

1. Privacy Policy

Purpose: Public statement of PII handling practices

Required Content:

  • What PII is collected
  • How PII is used
  • Data sharing and disclosure
  • Data retention periods
  • Data subject rights
  • Security measures
  • International transfers
  • Contact information

Format: Publicly accessible, plain language Review Frequency: Annually or when changes occur

2. Data Processing Agreement (DPA)

Purpose: Contract between CSP and customers defining PII processing

Required Clauses:

  • Processing instructions
  • Data locations
  • Sub-processors
  • Security obligations
  • Audit rights
  • Breach notification
  • Data return/deletion
  • Liability

Format: Legal contract Review Frequency: With each customer engagement

3. Data Processing Register (ROPA)

Purpose: Inventory of all PII processing activities

Required Information:

  • Controller/processor identification
  • Processing purposes
  • Data categories
  • Data subjects
  • Recipients
  • International transfers
  • Retention periods
  • Security measures

Format: Database or spreadsheet Update Frequency: Continuous, reviewed quarterly

Template:

Processing Activity: Customer Account Management
Controller: Example Corp
Processor: Example Corp Cloud Services
Purpose: Provide cloud services
Legal Basis: Contract
PII Categories: Name, email, company, payment token
Data Subjects: Business customers
Recipients: Sub-processors (payment processor, email service)
Retention: Active account + 30 days
Security: Encryption, access controls, audit logging
Cross-border: US → EU (SCCs)
Last Updated: 2025-12-08

4. Information Security Policy

Purpose: Overall security framework

Required Sections:

  • Scope and objectives
  • Roles and responsibilities
  • Risk management approach
  • Asset classification
  • Access control principles
  • Cryptography standards
  • Physical security
  • Incident management
  • Business continuity
  • Compliance requirements

5. PII Processing Procedures

Required Procedures:

  • Consent management procedure
  • Data subject rights fulfillment procedure
  • Data retention and deletion procedure
  • Data breach response procedure
  • Sub-processor management procedure
  • Cross-border transfer procedure
  • Privacy impact assessment procedure
  • Staff training procedure

Example Procedure Format:

PROCEDURE: Data Subject Access Request (DSAR)

1. PURPOSE
   Enable data subjects to exercise right to access

2. SCOPE
   All PII processed by organization

3. RESPONSIBILITIES
   - Privacy Team: Process requests
   - IT: Retrieve data
   - Legal: Review disclosures

4. PROCEDURE
   4.1 Request Receipt
       - Log in DSAR tracking system
       - Verify identity
       - Clarify scope if needed

   4.2 Data Retrieval
       - Search all systems
       - Compile PII records
       - Verify completeness

   4.3 Review
       - Redact third-party info
       - Legal privilege check
       - Security review

   4.4 Disclosure
       - Secure delivery method
       - Within 30 days
       - Confirmation of receipt

5. RECORDS
   - DSAR log
   - Identity verification
   - Data package
   - Delivery confirmation

6. REFERENCES
   - Privacy Policy
   - GDPR Article 15
   - ISO 27018 Section X

6. Risk Assessment Documentation

Purpose: Identify and mitigate privacy risks

Required Content:

  • Risk assessment methodology
  • Asset inventory
  • Threat identification
  • Vulnerability assessment
  • Risk treatment plans
  • Residual risk acceptance

Format: Risk register Update Frequency: Annually or after significant changes

7. Sub-processor Registry

Purpose: Transparency on third-party PII processors

Required Information:

  • Sub-processor name
  • Services provided
  • PII access
  • Data locations
  • Certifications
  • Date added
  • DPA status

Format: Publicly accessible webpage Update Frequency: Real-time

8. Security Controls Documentation

Required Documentation:

  • Encryption standards
  • Access control matrix
  • Network diagram
  • System inventory
  • Configuration baselines
  • Vulnerability management records
  • Penetration test reports
  • Security assessments

9. Training Records

Purpose: Demonstrate staff competency

Required Records:

  • Training materials
  • Attendance logs
  • Completion certificates
  • Competency assessments
  • Annual refresher records

Retention: Duration of employment + 3 years

10. Incident Response Documentation

Purpose: Manage and learn from security incidents

Required Documentation:

  • Incident response plan
  • Incident classification matrix
  • Escalation procedures
  • Breach notification templates
  • Incident logs
  • Post-incident reviews

11. Audit and Compliance Records

Purpose: Demonstrate ongoing compliance

Required Records:

  • Internal audit reports
  • External audit reports
  • Certification certificates
  • Compliance assessments
  • Corrective action plans
  • Management reviews

Retention: 3-7 years

12. Data Subject Rights Records

Purpose: Evidence of rights fulfillment

Required Records:

  • Access requests and responses
  • Correction requests
  • Deletion requests
  • Consent records
  • Objection requests
  • Portability requests

Retention: 3 years after resolution

Documentation Management

Version Control

Best Practices:

  • Unique version numbers
  • Change history log
  • Approval signatures
  • Effective dates
  • Previous versions archived

Template:

Document: Privacy Policy
Version: 3.2
Effective Date: 2025-01-15
Previous Version: 3.1 (2024-06-01)
Approved By: Jane Doe, DPO
Changes: Updated sub-processor list, added new data category

Document Distribution

Controlled Distribution:

  • Internal policies: Intranet, training sessions
  • Public policies: Website, customer portal
  • Contractual documents: Secure exchange with customers
  • Audit evidence: Secure repository for auditors

Document Review Schedule

Annual Review:

  • All policies and procedures
  • Risk assessments
  • Sub-processor agreements
  • Training materials

Quarterly Review:

  • Data processing register
  • Sub-processor registry
  • Incident logs
  • Access control matrix

Continuous Update:

  • Audit logs
  • Incident records
  • Training records
  • Consent records

Certification-Specific Documentation

Statement of Applicability (SoA)

Purpose: Declare which ISO 27018 controls apply

Format:

ControlApplicableImplementation StatusJustification
CLD.6.3 ConsentYesImplementedConsent management system deployed
CLD.7.2 AccessYesImplementedRBAC with MFA

Internal Audit Reports

Required Content:

  • Audit scope
  • Audit methodology
  • Findings and observations
  • Non-conformities
  • Corrective actions
  • Follow-up schedule

Frequency: Annually (full scope), quarterly (sampling)

Management Review Records

Required Content:

  • Performance metrics
  • Audit results
  • Incidents and breaches
  • Changes to controls
  • Resource needs
  • Continual improvement initiatives

Frequency: Quarterly

Documentation Checklist

Strategic Level:

  • Privacy Policy (public)
  • Information Security Policy
  • Risk Management Policy
  • Acceptable Use Policy
  • Data Protection Policy

Operational Level:

  • Consent management procedure
  • Data subject rights procedure
  • Data retention procedure
  • Deletion procedure
  • Breach response procedure
  • Sub-processor management procedure
  • Transfer procedure
  • Training procedure

Records and Evidence:

  • Data processing register
  • Sub-processor registry
  • Risk assessments
  • Audit logs (1 year minimum)
  • Training records
  • Incident records
  • Consent records
  • DSAR records
  • Internal audit reports
  • External audit reports
  • Management reviews
  • Certifications

Technical Documentation:

  • System architecture diagrams
  • Data flow diagrams
  • Network diagrams
  • Encryption standards
  • Access control matrix
  • Configuration baselines

Contractual:

  • Data Processing Agreements
  • Sub-processor DPAs
  • Standard Contractual Clauses
  • Customer agreements

Audit Readiness

Documentation Availability:

  • Organized in logical structure
  • Indexed for easy retrieval
  • Current versions readily accessible
  • Evidence readily available
  • Contact persons identified

Quality Checks:

  • No conflicting information
  • Dates are current
  • Approvals present
  • Version control maintained
  • Plain language used

Next Lesson: Gap analysis process - identify and address compliance gaps before certification audit.

Complete this lesson

Earn +50 XP and progress to the next lesson

Previous

Technical Controls Checklist

Next

Gap Analysis Process