Document Control Procedure¶
Document ID: PROC-006 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Approved: March 2026 Next review: March 2027 Frameworks: ISO 27001 (7.5) | SOC 2 (CC1.4)
1. Purpose¶
This procedure defines how ISMS documentation is created, approved, distributed, reviewed, and retained. It ensures all documents are current, authorised, and accessible to those who need them.
2. Scope¶
All documented information required by the ISMS, including:
- Policies (POL-xxx)
- Procedures (PROC-xxx)
- Registers (REG-xxx)
- Templates
- Audit reports and records
- Evidence artefacts
3. Document Identification¶
3.1 Naming Convention¶
| Document Type | ID Format | Example |
|---|---|---|
| Policy | POL-NNN | POL-001 (Information Security Policy) |
| Procedure | PROC-NNN | PROC-001 (Incident Response Plan) |
| Register | REG-NNN | REG-001 (Asset Register) |
| Template | TMPL-NNN | TMPL-001 (Incident Report) |
3.2 Required Metadata¶
Every ISMS document must include:
| Field | Description |
|---|---|
| Document ID | Unique identifier per naming convention |
| Document owner | Person responsible for content accuracy |
| Classification | Per Data Classification Policy |
| Version | Semantic version (Major.Minor) |
| Approved date | Date of last approval |
| Next review date | When the document must be reviewed |
| Framework references | ISO 27001 and SOC 2 control references |
4. Document Lifecycle¶
4.1 Creation¶
- Author drafts document using the appropriate template
- Document ID assigned per naming convention
- All required metadata fields populated
4.2 Review and Approval¶
| Document Type | Reviewer | Approver |
|---|---|---|
| Policy | Jan Marc Castlunger (ISO) + relevant stakeholders | Jan Marc Castlunger (ISO) |
| Procedure | Control owner | Jan Marc Castlunger (ISO) |
| Register | Data owner | Jan Marc Castlunger (ISO) |
| Template | Jan Marc Castlunger (ISO) | Jan Marc Castlunger (ISO) |
4.3 Distribution¶
- All ISMS documents are stored in this Git repository (source of truth)
- Published via MkDocs to the ISMS portal (read-only access via Cloudflare Access)
- Controlled copies (if distributed outside the portal) must be tracked
4.4 Version Control¶
- All changes are tracked via Git (commit history)
- Minor changes (typos, formatting): increment minor version (e.g. 1.0 -> 1.1)
- Major changes (policy changes, new controls): increment major version (e.g. 1.1 -> 2.0)
- All significant changes are recorded in the Changelog
4.5 Review¶
- All policies and procedures are reviewed annually (at minimum)
- Reviews may be triggered by: incidents, audit findings, regulatory changes, organisational changes
- Review dates are tracked in each document header and the Audit Schedule
4.6 Archival and Disposal¶
- Superseded versions are retained in Git history (indefinite retention)
- Documents no longer required are marked as deprecated before removal
- Minimum retention period for audit evidence: 3 years
5. Access Control¶
| Role | Access Level |
|---|---|
| Jan Marc Castlunger (ISO) | Full read/write to all ISMS documents |
| Sebastian Windeck (DPO) | Read/write to privacy and data protection documents |
| Sebastian Windeck (CTO) | Read/write to technical controls and procedures |
| All employees | Read access to policies and procedures |
| External auditors | Temporary read access (granted per audit engagement) |
6. Records Management¶
| Record Type | Minimum Retention | Storage Location |
|---|---|---|
| Policies and procedures | Current + 3 years history | Git repository |
| Audit reports | 3 years | Google Drive > Security > Audits |
| Incident records | 3 years | Google Drive > Security > Incidents |
| Management review minutes | 3 years | Google Drive > Security > Management Reviews |
| Training records | Duration of employment + 2 years | Google Workspace |
| Corrective actions | 3 years | Google Drive > Security > Corrective Actions |
7. Review¶
This procedure is reviewed annually by the ISO.
Approved by: Jan Marc Castlunger (CEO / ISO), CTW Data Solutions GmbH Date: March 2026