Documentation reviews: Why do them?
When in business, ensuring that you have proper and up to date documentation in place is key to running a successful business. But it doesn’t just stop there.
So, what are document reviews? Why do you need them, what’s involved is it and how does it improve your business?
Well, as the title of this blog article suggests, document reviews are the reviewing of all your documentation within the business, no matter if its Standard Operating Procedures (SOPs), change control, policies and procedures, employee contracts, company manuals and so forth, this is to ensure that they align with both your business requirements as well as any external standards, such as ISO or Cyber Essentials or other regulatory requirements.
Depending upon how you manage your documentation and where the documents are stored, will depend upon how audits are carried out, but this can also be part of the review process. Uncovering how easy it is to locate and review all documentation. Is there an area for improvement?
Documentation reviews should be performed at least annually, or if big changes are implemented, upon change as well. These reviews should be performed by someone who knows the business processes quite well, as this will allow them to understand the business as well as who to talk to about any documentation that may require updates.
The review of information is important to the business and should not be skipped or forgotten about, no matter how boring it is. It’s important not only to the business to ensure that you are in full compliance with any external laws and regulations, but also to ensure that you are implementing best practices, should something happen.
The review process should ensure that documentation has change control and document control implemented, this means that documentation is versioned, has an owner and is kept up to date and people know about any changes that are applied. You should plan to review your documentation throughout the year so that it is a continual process, and you are not overloaded reviewing all documentation throughout the course of one month.
When reviewing the documentation, you should be looking to ensure that the documentation is correct at the time of the review. Does the documentation contain links or references to external sources? If so, are these still correct or do they need to be updated. You should be checking that the owners of the documents are still the correct owners, that people are aware of the documents and where they locate.
The review process, although tedious, is important to the business and will help to identify and reduce any risks and vulnerabilities to the business. It will also help to play a part in risk and incident management as well as help improve onboarding and off boarding processes.
For any documentation that includes recovery plans, such as disaster recovery and business continuity or incident management, you should review these documentations and any associated guidelines to ensure they are all up to date, that they have been tested against any systems which are mentioned and ensure that all members of staff are aware of their location and how to gain access.
For documentation that complies with industry standards and regulations, checks should be made to ensure that all documentation still complies with the external standard and that any changes are applied as required.
Past versions of documentation should be kept separate to the live documents, so it allows you to review past versions, if necessary and if needed, fall back to a previous policy or procedure should the need arise.
Lastly, it goes without saying that backups should be in place for your documentation and that they are tested to ensure, worst case, you can recover your documents.