Document Management Policy

Classification: L1 — Policy (Domain)

Version: 0.1.1

Effective Date: March 3, 2026

Author: Lucas Shin — Security Director

Approved By: Richard Williams — CISO

Next Review Date: March 2027

1. Purpose

This policy establishes the principles, classification framework, and governance requirements for all formally controlled documents within the Cybercraft ISMS.

It defines:

How documents are classified by their purpose
How documents are identified through a standardised Doc ID scheme
How documents are governed through approval, review, and retention requirements

All document management activities — including creation, review, approval, distribution, and disposal — derive their authority from this policy.

ℹ️

Note: This policy includes L2 Standard content (measurable criteria such as the Doc ID scheme, approval authority matrix, review cycles, and version numbering rules). A separate L2 Standard document is not issued for the Document Management domain; these criteria are incorporated directly into this policy due to limited volume.

2. Scope

2.1 Applicability

This policy applies to all formally controlled documents within the Cybercraft ISMS, including but not limited to:

Policies, Standards, Procedures, and Guidelines (L1–L4)
System Configuration documents
Registers, Reports, Forms, and Plans

2.2 Exclusions

The following are not within the scope of this policy:

Informal working documents (e.g., Teams channel messages, personal OneDrive files)

2.3 Determining Control Status

Controlled documents are managed through this policy and the Document Control Procedure (ISMS-PROC-DCL-01), and are registered in the Document Register with a Doc ID.

A document becomes a formally controlled document when:

It serves one of the four purposes defined in §3.2, and
It is assigned a Doc ID per §4.1, and
It is registered in the Document Register per §4.2

2.4 Regulatory Alignment

This policy supports compliance with:

ISO/IEC 27001:2022 — Clause 7.5 (Documented Information)
ISO/IEC 27001:2022 — Annex A.5.37 (Documented Operating Procedures)

3. Document Classification Framework

3.1 Core Principle

📐

All formally controlled documents are information assets. There is no distinction between "inside" and "outside" the ISMS. Documents differ only in their purpose, which determines their management requirements — approval authority, review cycle, and change control.

3.2 Four-Purpose Classification

Every formally controlled document must be classified into exactly one of the following four purposes. If a document cannot be classified, the framework is incomplete and must be revised.

Purpose	Question the Document Answers	Nature	Document Types	L-Hierarchy
A. Normative	"What must be done?"	Creates obligations (prescriptive)	Policy (L1), Standard (L2)	✅ Yes
B. Instructional	"How should it be done?"	Guides action (instructional)	Procedure (L3), Guideline (L4)	✅ Yes
C. Descriptive	"What is the current state?"	Records state (descriptive)	System Configuration	❌ No
D. Evidentiary	"What was done / what exists?"	Proves activity (evidentiary)	Register, Report, Form, Plan	❌ No

3.3 L-Hierarchy (Policy Cascade)

The L-hierarchy (L1–L4) applies exclusively to Purpose A and B documents. Upper levels derive authority downward:

Level	Type	Purpose	Defines
L1	Policy	A. Normative	What must be done — principles, requirements, and obligations
L2	Standard	A. Normative	How well — measurable criteria and baseline definitions
L3	Procedure	B. Instructional	How — step-by-step operational instructions
L4	Guideline	B. Instructional	Guidance — user and administrator manuals

Purpose C and D documents are outside the L-hierarchy — they do not derive authority from upper levels and serve as reference or evidentiary records.

4. Document Identification

4.1 Doc ID Scheme

All formally controlled documents shall be assigned a unique Doc ID using the following 4-segment structure:

① System - ② Type - ③ Domain - ④ Sequence

Segment	Description	Examples
① System	Management system prefix	`ISMS` (Information Security). Non-security systems may use other prefixes (e.g., `HR`, `FIN`, `OPS`) when introduced.
② Type	Document type code	`POL` (Policy), `STD` (Standard), `PROC` (Procedure), `GUIDE` (Guideline), `CONF` (System Configuration), `REG` (Register), `FORM` (Form), `CORE` (ISMS Core)
③ Domain	Subject area	`BYOD`, `M365`, `ASM`, `DCM`, `HR`, `ISP`, `ADG`, `INC`, `STP`, `BCP`, `COM`, `RM`
④ Sequence	2-digit serial number	`01`, `02`, etc.

Example: ISMS-POL-DCM-01 = ISMS system, Policy type, Document Management domain, first document.

4.2 Single Document Register Principle

All formally controlled documents shall be managed in a single Document Register (ISMS Document Register). The ① System prefix distinguishes documents belonging to different management systems within the same register.

5. Document Governance

5.1 Approval Authority

Document Type	Author	Approver
L1 Policy (Master + Domain)	Security Director	CISO
L2 Standard	Security Director	CISO
L3 Procedure	Security Director	Security Director (self-approval permitted)
L4 Guideline	Security Director	Security Director (self-approval permitted)
System Configuration (C)	Security Director	Security Director (self-approval permitted)
Register / Report / Form / Plan (D)	Security Director	Per document requirements

5.2 Review Cycle

L1 Policy and L2 Standard: Annual review, or upon significant organisational, technical, or regulatory change
L3 Procedure and L4 Guideline: Annual review, or upon operational process change
System Configuration (C): Updated when system configuration changes; no fixed review cycle
Evidentiary documents (D): Per document-specific requirements

5.3 Version Control

All formally controlled documents shall include a Document Control section recording version history.
Version numbers follow the Major.Minor format.

Minor version — odd/even convention:

Even minor (including 0): Approved and released (e.g., 1.0, 1.2, 1.4)
Odd minor: Draft — under revision, not approved (e.g., 1.1, 1.3, 1.5)

Major version:

Incremented only upon significant structural or scope changes (e.g., framework redesign, major regulatory update)
Routine reviews and minor amendments remain within the same major version

Distribution rule:

Only even minor versions may be distributed to personnel and referenced as the current effective version
Odd minor versions are drafts and must not be used or relied upon, even if a higher odd version exists beyond the latest even version

5.4 Format and Media

All formally controlled documents shall be maintained in their native digital format within the authorised document management system.
The document management system's built-in version control, access control, and co-authoring capabilities serve as the primary format control mechanism. Conversion to alternative formats (e.g., PDF) for distribution is not required.
Printed copies are considered uncontrolled copies — they are not subject to version control or update distribution, and must not be relied upon as the current effective version. Handling of printed copies (marking, physical storage, and disposal) shall comply with the information classification and handling requirements defined in ISMS-POL-ASM-01.

5.5 Storage and Protection

All controlled documents shall be stored in authorised, protected locations as defined by the applicable security policies.
Storage protection mechanisms — including device management (MDM), application-level isolation (MAM), and OS-level volume separation (ADUE) — are governed by the BYOD Security Policy (ISMS-POL-BYOD-01) and M365 Workspace & Access Policy (ISMS-POL-M365-01).
This policy does not define storage protection mechanisms; it requires that all controlled documents reside in locations that meet the protection standards established by the referenced policies.

5.6 Retention and Disposal

All formally controlled documents shall be retained for the duration of their relevance plus a minimum of one review cycle after supersession or withdrawal
Disposal of controlled documents requires documented approval from the Security Director
Superseded versions shall be clearly marked and archived (not deleted)

6. Roles and Responsibilities

Role	Responsibilities
CISO	Approve L1 and L2 documents. Authorise exceptions to this policy.
Security Director	Author and maintain all ISMS documents. Manage the Document Register. Ensure compliance with this policy. Approve L3, L4, and supporting documents.
All Personnel	Use current approved versions of documents. Report discrepancies or outdated documents to the Security Director.

7. Related Documents

Doc ID	Title	Relationship
ISMS-POL-ISP-01	Information Security Policy	Parent — Master Policy
ISMS-PROC-DCL-01	Document Control Procedure	L3 implementing procedure for this policy
ISMS-POL-ASM-01	Asset Management & Information Classification Policy	Governs handling of printed copies (§5.4)
ISMS-POL-BYOD-01	BYOD Security Policy	Governs device-level storage protection (§5.5)
ISMS-POL-M365-01	M365 Workspace & Access Policy	Governs access and channel-based document protection (§5.5)

8. Compliance Mapping

Control	Description	Coverage
ISO 27001 Clause 7.5	Documented Information	§2–§5 (scope, classification, identification, governance)
ISO 27001 A.5.37	Documented Operating Procedures	§5 (governance requirements for procedures)
ISO 27001 A.5.1	Policies for Information Security	§3.3 (L-hierarchy and policy cascade)

9. Document Control

Version	Date	Author	Changes
0.1.0	2026-03-03	Lucas Shin	Initial release — established document classification framework (4-purpose classification), Doc ID scheme, L-hierarchy definition, and document governance requirements. Created as FW4 deliverable.
0.1.1	2026-03-03	Lucas Shin	Added L2 Standard inclusion note (§1) — this policy incorporates L2-level measurable criteria (Doc ID scheme, approval matrix, review cycles, version rules) without a separate L2 document.

Review Schedule

Annually: Full policy review aligned with ISMS management review
Ad-hoc: Upon significant changes to document management practices or regulatory requirements

[End of Policy Document]