Document Control Procedure
Document Number: ISMS-PROC-DCL-01
Version: 0.1.0
Parent Policy: Document Management Policy (ISMS-POL-DCM-01)
Author: Lucas Shin — Security Director
Last Modified: March 4, 2026
1. Purpose
This procedure defines the step-by-step operational instructions for creating, reviewing, approving, distributing, revising, and retiring formally controlled documents within the Cybercraft ISMS.
All activities in this procedure implement the requirements of the Document Management Policy (ISMS-POL-DCM-01).
2. Document Creation
2.1 When to Create
A new formally controlled document is required when:
- A new policy, standard, procedure, or guideline is needed to address an identified gap
- A new system configuration requires documentation
- An evidentiary record (register, report, form, plan) is established
2.2 Creation Steps
| Step | Action | Owner |
|---|---|---|
| 1 | Identify the document's purpose classification (A. Normative / B. Instructional / C. Descriptive / D. Evidentiary) per ISMS-POL-DCM-01 §3.2 | Author |
| 2 | Determine the document type (Policy, Standard, Procedure, Guideline, System Configuration, Register, etc.) and L-hierarchy level if applicable | Author |
| 3 | Assign a Doc ID using the 4-segment scheme: System – Type – Domain – Sequence (e.g., ISMS-PROC-DCL-01). Verify the ID is unique in the Document Register | Author |
| 4 | Create the document with the standard header block (see §2.3) and a Document Control section at the end | Author |
| 5 | Register the document in the Document Register with: Doc ID, Title, Category, Status (Draft), Author, and creation date | Author |
| 6 | Assign initial version number as an odd minor (e.g., 1.1) to indicate draft status. The first approved release of any document is version 1.0; pre-approval drafts use 0.x (e.g., 0.1, 0.3) | Author |
2.3 Standard Header Block
All formally controlled documents shall include the following header:
Document Number: [Doc ID]
Version: [Major.Minor]
Parent Policy: [Parent document title and Doc ID, if applicable]
Author: [Name — Role]
Last Modified: [Date]For L1 Policy and L2 Standard documents, the header shall additionally include:
Classification: [L-hierarchy level]
Effective Date: [Date of approval]
Approved By: [Name — Role]
Next Review Date: [Date]3. Document Review and Approval
3.1 Review Triggers
- Scheduled review: Per the review cycle defined in ISMS-POL-DCM-01 §5.2
- Ad-hoc review: Upon significant organisational, technical, or regulatory change
- Initial approval: Before a new document is distributed for the first time
3.2 Approval Workflow
| Step | Action | Owner |
|---|---|---|
| 1 | Author completes the draft and self-reviews for accuracy, completeness, and consistency with related documents | Author |
| 2 | Author submits the document for approval to the designated approver per ISMS-POL-DCM-01 §5.1 (CISO for L1/L2; Security Director for L3/L4/C/D) | Author |
| 3 | Approver reviews the document and either: (a) approves, (b) requests changes, or (c) rejects with rationale | Approver |
| 4 | If changes requested: Author revises and resubmits (repeat from Step 1). Each revision increments the odd minor version (e.g., 1.1 → 1.3) | Author |
| 5 | Upon approval: Author increments the version to the next even minor (e.g., 1.1 → 1.2), updates the Document Control section, and records approval date | Author |
| 6 | Update the Document Register: set Status to Active, record approved version and date | Author |
4. Version Numbering
Version numbering rules (odd/even convention, major version criteria, distribution rule) are defined in ISMS-POL-DCM-01 §5.3. This section provides operational examples.
4.1 Scenario Examples
| Scenario | Version Action | Example |
|---|---|---|
| New draft (first revision after an approved release) | Increment to the next odd minor | 1.2 → 1.3 |
| Subsequent draft iteration | Increment to the next odd minor | 1.3 → 1.5 |
| Approval of a draft | Increment to the next even minor | 1.5 → 1.6 |
| Major structural or scope change (approved) | Increment major version, reset minor to .0 | 1.6 → 2.0 |
4.2 Document Control Section
Every formally controlled document shall end with a Document Control table recording:
| Field | Description |
|---|---|
| Version | Major.Minor version number |
| Date | Date of the version |
| Author | Person who made the changes |
| Changes | Brief description of what changed |
5. Document Distribution
5.1 Distribution Rules
| Step | Action | Owner |
|---|---|---|
| 1 | Verify the document is at an even minor version (approved). Odd minor versions must never be distributed. | Author |
| 2 | Store the approved document in the authorised document management system. Ensure the document resides in the correct location per its classification and the applicable storage protection policies. | Author |
| 3 | Notify affected personnel of the new or updated document via Teams channel announcement or email | Author |
| 4 | If the document supersedes a previous version, ensure the previous version is clearly marked as superseded and archived (not deleted) | Author |
5.2 Printed Copies
Printed copy rules and handling requirements are defined in ISMS-POL-DCM-01 §5.4 and ISMS-POL-ASM-01.
6. Periodic Review
Review frequencies by document type are defined in ISMS-POL-DCM-01 §5.2.
6.1 Review Steps
| Step | Action | Owner |
|---|---|---|
| 1 | Security Director identifies documents due for review (based on Next Review Date in the Document Register or triggered by a change event) | Security Director |
| 2 | Review the document for: accuracy, currency, alignment with current operations, and consistency with related documents | Author |
| 3 | Determine outcome: (a) no change required — record review date, (b) revision required — initiate revision per §3.2, (c) retirement required — initiate retirement per §7 | Author |
| 4 | Update the Document Register with the review date and outcome | Author |
7. Document Retirement
7.1 Retirement Steps
| Step | Action | Owner |
|---|---|---|
| 1 | Author identifies the document as no longer required (superseded, obsolete, or consolidated into another document) | Author |
| 2 | Obtain approval from Security Director for retirement (per ISMS-POL-DCM-01 §5.6) | Security Director |
| 3 | Mark the document as Withdrawn — add a prominent notice at the top of the document indicating it is no longer effective, with the date and superseding document (if applicable) | Author |
| 4 | Archive the document (do not delete). Superseded versions must remain accessible for audit purposes. | Author |
| 5 | Update the Document Register: set Status to Withdrawn, record retirement date and reason | Author |
| 6 | Notify affected personnel that the document is no longer effective | Author |
8. Document Register Maintenance
The Document Register is the single authoritative index of all formally controlled documents (per ISMS-POL-DCM-01 §4.2).
8.1 Maintenance Responsibilities
| Action | When | Owner |
|---|---|---|
| Add new entry | Upon document creation (§2.2 Step 5) | Author |
| Update version and status | Upon approval (§3.2 Step 6) or retirement (§7.1 Step 5) | Author |
| Record review date | Upon periodic review completion (§6.1 Step 4) | Author |
| Completeness audit | Quarterly — verify all controlled documents are registered and statuses are current | Security Director |
9. Evidence and Records
| Record | Retention | Storage |
|---|---|---|
| Document Register (current) | Permanent (continuously maintained) | Authorised document management system |
| Approval records (email / Teams confirmation) | Duration of document validity + 1 review cycle | Authorised document management system (per ISMS-POL-M365-01) |
| Periodic review records | Duration of document validity + 1 review cycle | Document Register (review date field) |
| Superseded document versions | Duration of successor document validity + 1 review cycle | Archived in document management system |
| Retirement/withdrawal records | 3 years after withdrawal | Document Register + archived document |
10. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1.0 | 2026-03-04 | Lucas Shin | Initial draft — established procedures for document creation, review/approval, version numbering, distribution, periodic review, retirement, and register maintenance. Implements ISMS-POL-DCM-01. |
[End of Procedure]