Scanning documents and ISO-27001

We are planning to submit a project to our managers about scanning all our office papers and deal with PDF instead of physical-format documents.

For doing that, we are loooking for some support, if there is any, for claiming that scanning documents is a good practice that is aligned to ISO/IEC-27001 policies.

We know that the main purpose of an ISMS, based on ISO/IEC 27001 requirements, is to reduce the risk of loosing information or inauthorized access to it.

However, do you think that we could align the activity of scanning documents with ISO/IEC 27001 recommendations? We were thinking that getting PDF files reduce the risk of loosing physical-format documents, because file backup procedures are more secure than  protecting papers.
LVL 1
miyahiraAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
in fact, digital copy make it even more easier to be lost ...unless it is safeguarded with appropriate controls and measures.. digital is good for long term archival as compared to physical for audit trail and future investigation though, capacity planning ( to avoid unnecessary data flood or denial of service/outage due to storage and resource denial), and access right mgmt with identity tagged to each digital copy seamlessly for enterprise policy enforcement and tracking etc

Maybe, we can see from the other view instead ... to align best principle in security is data confidentiality, integrity and availability. So taking more into 27002 (practices instead) , you are looking at handling threat of data leakage and tamper. Note that 27001 key controls are "parked" under "Annex A  Reference control objectives and controls", which also aligned to 27002. Hence below can be some to consider for use case relevance.
 
27001
a) The results of the risk assessments and the decisions regarding risk treatment as part of the threat stated may be included the reason for scanned but as stated, the "new" scheme need to fulfil the principle also so that it is not opening another can of worms...

27002
a) Human resource security (Termination and change of employment, such as returning corporate information and equipment in their possession, updating their access rights)
b) Asset mgmt (Responsibility for assets, Information classification and Media handling)
c) Access control (Business requirements of access control, User access management and System and application access control)
d) Cryptography (Cryptographic controls on the use of encryption, plus cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management)
e) Operations management (Operational procedures and responsibilities, Logging and monitoring, Information systems audit considerations

Having the scanned version still able to achieve the "mouthful" above control measures...some technology such as digital right mgmt is also good to explore
e.g. Adobe DRM : https://www.adobe.com/manufacturing/resources/drm/
e.g. Lizard DRM: http://www.locklizard.com/pdf_security_drm.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.