We’ve documented it!
Documentation plays a critical role in organizations. It serves to establish guidelines, plan, record events, transfer information, and more. Nowadays, more and more documentation is being created—whether due to internal needs, regulatory requirements, or contractual obligations.
We have policies, procedures, records, plans, matrices, forms, and manuals. Each one with its name, code, and version—approved, signed, and archived.
We’re Covered
So we’re covered—because we have it documented. In many cases, there’s a belief that simply having the appropriate documentation means everything will work. But that “coverage” is just an illusion.
When someone asks how a specific task is performed, there are pages and pages describing how to carry it out. And simply having that paper or file gives us a sense of relief. It seems the focus is on having documentation.
But when it comes to security, having controls documented doesn’t make them effective against attackers. It’s not enough.
Documents vs. Reality
Does the documentation we have reflect our reality?
This first question is key to understanding whether we are actually living in two separate organizations: one that exists on paper and another that functions in practice—even if they don’t always align.
Is what we’ve written actually useful?
We don’t need documentation if it only exists to keep us “covered”. It doesn’t reflect reality, and therefore, isn’t used.
If we need to block out time in the calendar once a year to review a document that no one looks at again until the next annual review, that document is not useful.
When it comes to information security, this question is critical. An incident response plan is useless if no one reads it until the day an attack happens. The same goes for a risk matrix—risks aren’t reduced through an annual review, but through continuous practice.
Living Documentation
Living documentation doesn’t need reminders to be reviewed (beyond the mandatory compliance checks). It is under constant scrutiny because it is used every day, consulted, adjusted, and improved.
It’s everything that is written and actually absorbed by people, becomes part of the culture, and is constantly fed by reality. It evolves from being a requirement to becoming a true tool—one worth maintaining.
Documentation only makes sense when it is alive. It guides, helps, protects, and evolves.