Skip to main content

Document Management Overview

Learn how to organize, store, and manage compliance documentation in DSALTA for efficient evidence collection and audit preparation.

John Ozdemir avatar
Written by John Ozdemir
Updated over a month ago

What Are Compliance Documents?

Compliance documents are any files that serve as evidence for security controls, including:

Technical Documentation:

  • System architecture diagrams

  • Network topology maps

  • Data flow diagrams

  • Security configuration screenshots

  • Infrastructure as Code (IaC) templates

Operational Records:

  • Change request logs

  • Incident response reports

  • Access review sign-offs

  • Backup verification logs

  • System maintenance records

Security Assessments:

  • Vulnerability scan reports

  • Penetration test results

  • Security audit findings

  • Risk assessment documents

  • Third-party security reviews

Contractual Documents:

  • Business Associate Agreements (BAAs)

  • Data Processing Agreements (DPAs)

  • Vendor contracts with security clauses

  • Customer security agreements

  • Non-disclosure agreements (NDAs)

Certificates and Attestations:

  • SSL/TLS certificates

  • Background check confirmations

  • Training completion certificates

  • Insurance certificates

  • Previous audit reports (SOC 2, ISO 27001)

Organizational Documentation:

  • Organizational charts

  • Job descriptions for security roles

  • Committee meeting minutes

  • Board presentations on security

  • Security budget documentation

Why Document Management Matters

Proper document management provides:

Audit Efficiency: Organized evidence makes audits faster and smoother

Evidence Completeness: Centralized storage prevents lost or missing evidence Version Control: Historical records show continuous compliance

Access Control: Sensitive documents remain secure but accessible when needed Compliance Mapping: Clear connections between documents and controls

Time Savings: Quick retrieval beats searching email or shared drives

Documents vs. Policies vs. Evidence

Understanding the distinction:

Policies: Formal, approved statements of how you approach security topics Documents: Artifacts that support or demonstrate control implementation

Evidence: Broader category including both documents and automated data

Example for Access Control:

  • Policy: Access Control Policy defining your approach

  • Documents: Access review sign-off sheets, onboarding checklists

  • Evidence: Documents + automated user directory data + access logs

All three work together to prove compliance.

Accessing Documents in DSALTA

Navigate to Compliance > Documents to view your document library.

The documents page displays:

  • Document name and type

  • Upload date

  • Owner or uploader

  • Linked controls and frameworks

  • File size and format

  • Last accessed date

Document Categories

DSALTA organizes documents into categories:

Architecture & Design:

  • System architecture diagrams

  • Network diagrams

  • Data flow diagrams

  • Security design documents

Reports & Assessments:

  • Vulnerability scan reports

  • Penetration test results

  • Security assessments

  • Audit reports

  • Risk assessments

Procedures & Runbooks:

  • Standard Operating Procedures (SOPs)

  • Incident response runbooks

  • Disaster recovery procedures

  • Configuration guides

Contracts & Agreements:

  • Vendor contracts

  • Business Associate Agreements

  • Data Processing Agreements

  • Customer agreements

Training & Awareness:

  • Training materials

  • Security awareness content

  • Completion certificates

  • Training schedules

Compliance & Legal:

  • Previous audit reports

  • Regulatory correspondence

  • Legal opinions

  • Compliance assessments

Operational Logs:

  • Change logs

  • Incident reports

  • Access review records

  • Maintenance records

Proper categorization helps with filtering, searching, and audit preparation.

Document Storage Strategy

DSALTA serves as your compliance document repository, but consider:

What to Store in DSALTA

Compliance-specific documents:

  • Documents mapped to controls

  • Evidence for audit purposes

  • Compliance reports and assessments

  • Previous certification reports

Security-relevant records:

  • Vendor security assessments

  • Penetration test reports

  • Risk assessment documents

  • Security meeting minutes

What to Reference from Other Systems

Operational documents: Link to documents in existing systems rather than duplicating:

  • Code repositories (GitHub/GitLab)

  • Project management tools (Jira, Asana)

  • Wiki or knowledge bases (Confluence, Notion)

  • HR systems (BambooHR, Workday)

DSALTA integrations automatically reference these when appropriate.

Document Metadata

Each document in DSALTA includes metadata:

Basic Information:

  • File name and type

  • Upload date and uploader

  • Last modified date

  • File size

Compliance Mapping:

  • Linked controls

  • Associated frameworks

  • Related policies

  • Connected tests

Classification:

  • Document category

  • Confidentiality level

  • Retention requirements

  • Access restrictions

Review Information:

  • Next review date

  • Review owner

  • Last reviewed date

  • Review notes

Rich metadata makes documents discoverable and manageable.

Document Access Control

Control who can view sensitive documents:

Public (within organization): All team members can view

Restricted: Only assigned roles or individuals

Auditor Access: External auditors during engagements

Admin Only: Highly sensitive documents

Balance security with accessibility—auditors need access during certification processes.

Document Organization Best Practices

Use Descriptive File Names

Good naming conventions include:

  • Document type

  • Topic or system

  • Date (YYYY-MM-DD format)

  • Version if applicable

Examples:

  • PenTest_Report_Annual_2024-11-15.pdf

  • AWS_Architecture_Diagram_v2.1_2024-12.png

  • Vendor_Assessment_Acme_Corp_2024-Q4.xlsx

Avoid:

  • Screenshot.png

  • Report.pdf

  • Document1.docx

Maintain Version Control

For documents that evolve:

  • Include version numbers in filenames

  • Document what changed between versions

  • Keep historical versions accessible

  • Note which version is current

Add Descriptions

Write brief descriptions explaining:

  • What the document contains

  • Why it's important for compliance

  • Which controls it supports

  • Any special considerations

Regular Cleanup

Periodically:

  • Archive outdated documents

  • Remove duplicates

  • Update stale information

  • Reorganize as needed

Document Lifecycle

Documents follow a lifecycle:

Creation/Upload: Document is added to DSALTA

Review: Periodic reviews ensure currency

Update: Modified versions replace outdated ones

Archive: Historical versions are preserved

Retention: Documents kept per retention policy

Disposal: Secure deletion when no longer needed

DSALTA tracks documents through this lifecycle automatically.

Search and Discovery

Find documents quickly using:

Full-text search: Search document contents and metadata

Filters: By category, control, framework, date range

Tags: Custom tags for cross-cutting themes

Control mapping: Find all documents for a specific control

Framework view: See documents supporting a framework

An effective search prevents recreating evidence you already have.

Related Articles
Understanding DSALTA's Compliance Approach
Managing and Mapping Controls
Uploading and Organizing Compliance Documents
Mapping Documents to Controls and Frameworks
Preparing for an Audit in DSALTA
Did this answer your question?