Why is ISO 27001 applicable also for paper-based information?

Although digital information has become the generally accepted standard for handling information, there might be situations where organizations still use paper-based information, and this documentation also must be protected according to its sensitivity and importance to the business.

While it may be perceived more as a standard related to digital information, ISO 27001, the leading ISO standard for the management of information security, also can be used to protect information in physical documentation. Thus, the ISO 27001 standard can be used against related threats and vulnerabilities in paper-based formats, and this article also shows how organizations can do that.

Examples of paper-based information


Some people may think that paper-based information is something from the past, and that the norm is now to keep all information in a digital format, but this is not true. Examples of sensitive paper-based information we can find in organizations’ daily activities are:

  • handwritten notes made by the CEO during the organization’s strategic meetings
  • initial storyboards or specifications for new products or systems
  • sticky notes used to track the progress of the most critical projects

As you can see, you can have sensitive paper-based information in situations where it may not be possible to make use of computerized information systems, or because it is easier or faster for a person to write the information down, or because systems used by the organization were not designed to work with them. So, you have to deal with such information in paper-based form and protect this information accordingly.

Main threats and vulnerabilities related to paper-based information

Paper-based information shares common threats and vulnerabilities with information that exists on other media but, by their very nature, some of these threats and vulnerabilities can bring more risk to organizations:

Human error. People can lose documents, misplace them, or fill out (Read more...)

*** This is a Security Bloggers Network syndicated blog from The ISO 27001 & ISO 22301 Blog – 27001Academy authored by The ISO 27001 & ISO 22301 Blog – 27001Academy. Read the original post at: