ISO 27001 document control for information security

ISO 27001 requires controlled access to documented information, a defensible audit trail of who read or changed it, and a documented lifecycle for every security policy and procedure in scope. docs365.ai is built to support those controls end-to-end, and it runs inside your Microsoft 365 tenant — no data leaves your security perimeter, no new vendor joins your ISMS scope.

Book a free assessment

---

What an ISO 27001 auditor looks for in document control

ISO 27001 Annex A includes multiple controls that touch documented information directly: A.5 (policies), A.8 (asset management including information classification), A.7 (information transfer), and the core requirements of clauses 7.5.1–7.5.3 (documented information).

For ISMS documentation specifically — security policies, procedures, risk treatment plans, incident-response runbooks, system-specific SOPs — the auditor will expect:

1. Controlled authorship — the document came from a known author, through a known process.
2. Approval by authorized persons — and the record of who approved.
3. Controlled access — only the people who need the document can see it, at the level of granularity the classification requires.
4. Version discipline — the current version is unambiguous, prior versions are preserved.
5. Audit trail — every modification, every access decision, every approval is recorded.
6. Integrity protection — documents can’t be altered outside the controlled process.

These are the same fundamentals ISO 9001 asks for, tightened around information-security concerns.

---

How this product supports ISO 27001 document control

Role-based access. SharePoint permissions model gives per-document and per-library granularity. The editing area and the public area have separate permission sets. Sensitive document types can have their own tighter permission scope. The customer’s existing Entra (Azure AD) groups and conditional-access policies apply without modification.

Complete audit log. Every action on every document is logged — author, timestamp, version, comments. For ISMS documentation this is the record that demonstrates control over documented information has been exercised continuously, not just at moments when an auditor was watching.

Versioning with preserved history. Minor and major versioning with full history preservation. If an auditor asks to see the state of a specific security policy on a specific date, the exact version is recoverable — not a reconstruction.

Template-driven creation. Every ISMS document starts from a governed template. Security-classification metadata (if configured) lives on the document as a first-class field, drives filtering, and appears in the Power BI dashboard for ISMS reporting.

Integrity during approval. The document is automatically checked out during the approval flow — it cannot be altered while approvals are in progress. Approved PDFs in the public area are not editable.

Why “inside your tenant” matters for your ISMS scope

Every new vendor you add to your technology stack expands your ISMS scope. Every new vendor requires evaluation, contract review, annual supplier assurance, and inclusion in the supplier risk register. It’s real work, and it’s why most CISOs prefer not to add tools when they don’t have to.

docs365.ai runs inside your existing Microsoft 365 tenant. Data stays in Microsoft’s infrastructure — the same infrastructure you’ve already evaluated, contracted for, and included in your ISMS. There is no second data boundary to assess. There is no new sub-processor to list. Microsoft’s ISO 27001 certification, SOC 2 attestations, and regional data-residency commitments apply without change.

The product code itself runs as an Azure application in the customer’s Azure subscription (see §11 of the product documentation for infrastructure details). Ongoing operational costs sit inside the customer’s existing Azure spend.

A practical walkthrough — ISMS document lifecycle

Consider an information-security procedure for handling access-review evidence. In a typical ISO 27001-certified organization, this document is authored by the Information Security Manager, approved by the CISO, made accessible to IT operations staff who execute access reviews, and reviewed on a defined cadence (usually annual).

With docs365.ai:

1. Create. The ISM opens a new document from the “ISMS Procedure” template. Version 0.1. Protocol code populated automatically (e.g. ISMS-PROC-0042). Classification metadata set to “Internal”. Author captured from Entra.
2. Draft. The ISM writes the procedure in Word Online, with the CISO as a reviewer leaving comments and @mentions.
3. Approve. The ISM launches the approval flow. Sequence: CISO as final approver (configured as the fixed post-flow approver on all ISMS Procedure documents). The CISO receives the email, reviews, approves. Version becomes 1.0.
4. Publish. The system converts the Word source to PDF and moves the document into the public area of the ISMS library. IT operations staff — granted read access to this library — see the current approved version. The editing area remains visible only to the ISM.
5. Govern. Expiration date is set for 12 months from publication. In month 11, the system emails the ISM to review. In the meantime, every access to the document (in the audit log of SharePoint Online) and every modification attempt is recorded.

If the CISO’s external assessor asks to see how access-review procedures have been controlled over the past year, the audit log produces that evidence directly.

What the customer owns

The product supports ISO 27001 document control end-to-end for documented information that lives in SharePoint. It does not replace the broader ISMS — risk assessment, asset management, incident response, internal audit, management review, all the activities that constitute the ISMS itself. Certification of the customer’s ISMS remains between the customer and their accredited certification body.

What we’re saying is: for the document-control portion of ISO 27001, a SharePoint-native DMS configured as described above gives you a defensible, auditable, current library without requiring a separate platform.

Pairs well with ISO 9001

Many organizations are dual-certified — ISO 9001 for quality management, ISO 9001 + ISO 27001 together when they handle customer data or run critical IT services. Because both standards share the document-control fundamentals, the same governed library structure and approval patterns serve both. No duplication of tooling, no second audit scope, no parallel systems.

See the companion ISO 9001 compliance page →.

---

FAQ

Is the product itself ISO 27001 certified? The product runs inside Microsoft 365, which is ISO 27001 certified. intranet.ai as a company is ISO 9001:2015 certified. ISO 27001 certification of intranet.ai as a company is not currently in scope — we point customers to Microsoft’s 27001 attestation for the infrastructure layer.

Does the product handle information classification automatically? No — classification is set as metadata by the author or as a default at the document-type level. The product enforces access based on SharePoint permissions, which customers configure to align with their classification scheme.

Can I use this for SOC 2 documentation? SOC 2 is a US attestation framework rather than an ISO standard, but the document-control fundamentals are similar. The product supports the same lifecycle — creation, approval, versioning, audit, retention — for SOC 2 policy and procedure documentation. Fit with your specific SOC 2 controls should be verified with your auditor.

What about encryption at rest? Data encryption at rest is handled by Microsoft 365 / SharePoint Online at the platform level, under Microsoft’s ISO 27001 scope. The product does not introduce additional encryption beyond what the platform provides.

---

Ready to align your ISMS documentation?

Book a free assessment — 30 minutes, no cost. We’ll walk through your current ISMS documentation library and identify where this product would change the shape of your document-control evidence.

Related pages

• ISO 9001 document control → — quality management counterpart.
• How governance works → — audit, versioning, archive.
• Audit log → — feature detail.