Documentation – show that everything is under control

Documentation is about being able to account for having everything under control when it comes to topics like security, quality, risk, compliance, and governance.

On one hand, this involves making policies, procedures and controls explicit, including responsibilities for making decisions, responsibilities, segregation of duties and mandates.

On the other hand, this involves tracking actions and incidents accounting for precisely who did what, on which basis, and when. This is done, for instance, by keeping minutes of meetings, registering important decisions, keeping logs, tracking access to critical ressources, and keeping tap on system errors and human faults.


Doing this right will enable you to account, but aside from that, it is also key to being able to manage these areas, because how would you manage procedures, controls, access rights or even incidents if you do not track, register and from time to time review or even analyse these.
And it all comes together with risk management.
What needs to be kept track of will, depend on what you need to manage, and the risks associated. And all the issues found from reviewing these incidents, logs and documents feed right back to risk management.

All this is done to be able to account for what has actually taken place and that everything was handled correctly. What needs to be kept track of will, to a high extent, depend on the risk assessment.

How are these connected?

Basically, what recurs in all the disciplines mentioned is the need for keeping track. All the disciplines are part of assuring that the company can account for what is going on and that things are handled properly.

When to take action and who is responsible?

When it comes to who is responsible for the disciplines within risk, compliance, and security management, it will often be the manager of the process or product in question. All employees are, however, responsible for timely registration of incidents and execution of controls.

Compliance Officers and lawyers in the legal department often handle the central parts of compliance. All departments, however, need to be aware of the law within their field. If you are working in the marketing department, you need to know marketing law and the employees in the HR department have to know personnel law. In that sense, security is the responsibility of all employees and the awareness of security issues needs to be present in the entire organisation.

Procedure documentation

Managing procedure documentation includes four steps:

  1. Identification
  2. Description
  3. Evaluation and updating
  4. Account and handling recommendations



When defining or managing a procedure, you should always start by identifying:

  • Owner: Who is the owner of the procedure?
  • Purpose: What is the purpose of the procedure?
  • Results: What is the result of the procedure?
  • Assets: What essential assets are involved in the procedure (e.g., information assets, personnel, equipment, money)?
  • Stakeholders and roles: Who are the involved stakeholders – and who will be affected in case of outage or mistakes?
  • Requirements: What are the requirements related to the procedure or the assets involved, e.g., in terms of law, internal requirements, and rules?
  • Extent: What is the extent of the procedure, including number of clients involved and data quantity as well as frequency and peak time?
  • Incidents: What are the relevant incidents related to the procedure?
  • Risks: What are the potential risks and threats?
  • Key controls: Based on the identified risks and threats, the key controls must be developed, implemented, and evaluated.


After the identification, the next step is to document and update the procedure itself.

Documentation includes the purpose, owner, risks, controls, and reporting as well as a description of the main activities, and any relevant reference.

Evaluation and updating

In case of bigger changes related to the procedure’s main activities, risks and requirements will have to be re-evaluated and updated.

This should be done by taking a closer look at:

  • Incidents
  • Control effectiveness
  • Response and mitigation plans
  • Risks


By evaluating these, you will get an overview and be able to assess what incidents are likely to happen again and how to avoid them, whether the current controls are efficient, whether the response plans are working and if they have lead to a change of procedures. Finally, new potential risks will be revealed.

Account and handling recommendations

Being responsible for any significant procedure in the company, you should be able to account for that specific procedure: How is it carried out, what are the identified risks, and how we are ensuring that the necessary controls are organised?