Lesson 14 of 33
In Progress

Document Management Process

1                  Introduction

1.1              Purpose

The purpose of this document is to describe the document management procedures for all documents relating to the KPMG GSOC. The documentation will include but not be limited to policies, processes, controls and standard operating procedures.

1.2              Scope

This document covers all documentation relating to KPMG GSOC.

1.3              Ownership

The responsibility of ownership and ongoing management of this document, including the processes contained therein, rests with the Head of GSOC.

1.4              Audience

The intended audience for this document is the KPMG GSOC personnel and any other document contributors.

1.5              Change Management Cycle

This document must be reviewed in its entirety at least annually.

1.6              Exceptions

There are no exceptions permitted for this process.

1.7              Reporting Violations

Any violations to this policy should be reported directly to the GSOC Operational Manager at the following email address:

<< GSOC-Assitant-Manager@kpmg.com >>

2                  Document Control

2.1              Types of document

This refers to all document types that form the GSOC documentation and include but are not limited to:

  • – Formally documented management expectations and intentions. Policies are used to direct decisions, and to ensure consistent and appropriate development and implementation that consist of but are not limited to processes, standards, roles, activities and IT Infrastructure.
  • –A structured set of activities designed to accomplish a specific objective. A process takes one or more defined inputs and turns them into defined outputs. A process may include any of the roles, responsibilities, tools and management controls required to reliably deliver the outputs. A process may define standards, guidelines, activities, and work instructions if they are needed.
  • – All documents which help to support and manage a process, and ensure that the process itself is followed poperly.
  • Terms of Reference –A document specifying the scope, deliverables, resources and schedule for a project or activity.
  • Requirements Document – A document specifying the requirements for a project or activity.
  • Architecture Document – A document specifying the structure of a system or IT service, including the relationships of components to each other and to the environment they are in. Architecture also includes the standards and guidelines which guide the design and evolution of the system.
  • Technical Design – A document that identifies the requirements of a technical activity or process and then defines a solution that is able to meet these requirements.

2.2              Document Format

All documents types must follow the KPMG style guideline and it is the responsibility of each document owner to ensure compliance. Document formats may include but not be limited to Word, Excel, PowerPoint and Sharepoint.

2.3              Document Referencing

As the number of GSOC documents grows it has been necessary to develop a document control process to manage them effectively. All GSOC documents will have a unique reference that consists of the following components: Document Type, Document Category and Document Number, giving all GSOC documents a unique reference. Below, a list of all document types and categories used to reference the GSOC documentation is outlined:

Document Type:

  • PO – Policies
  • PR – Processes/Procedures
  • CO – Control
  • TOR – GSOC Terms of Reference
  • RD – Requirements Document
  • AD – Architecture Document
  • TD – Technical Design


  • OP – Operation
  • IN – Intelligence
  • IS – IT Support
  • PS – Personnel
  • CM – Comms/Media
  • FN – Finance
  • IG – IT Governance
  • LG – Logistics

Document Number: xx

Please refer to the Appendix 1 GSOC Documents for a list of all currently allocated reference numbers.

2.4              Version Numbering

All documents which are produced under KPMG control must have a version number, which will be 0.1 for the first draft, 0.2 for the second draft etc. All core documents will need to be formally reviewed and approved for publication and when this has been done, the document should be changed to version 1.0, with ‘draft’ removed from the document. The 1.0 version will then become the benchmark and all future version numbers must follow consistent pattern of x.x.

2.5              Document Change Controls

All GSOC core documents will use standard SharePoint version control and check in/out processing to monitor their control. All core documents will also contain document control records. It is recommended that SharePoint archives are set up to hold non-current versions.

2.6              Guidelines for Authors

2.6.1          GSOC owned documents

Where appropriate documents should be produced using the documentation standards as defined above. This is based on the KPMG report macro and also provides a common presented style for the front sheet, internal structure and first few pages. The rest of the content of a document is determined by the author, based on the type of document being produced.

2.6.2          Essential Document Properties

The following table briefly describes contents of all properties that are deemed essential for GSOC core documents. 

Document TitleAs allocated by the document owner.
Reference numberThe reference number in line with the document referencing guidelines.
OrganisationThe organisation that owns the document. This maybe on the control or guideline tab for a spreadsheet.
EntityThe company that the organisation belongs to, usually KPMG LLP. This maybe on the control or guideline tab for a spreadsheet.
DateThe issue date of this version of the document in DD XXXXXX CCYY format. While a document is in draft it is common practice to preface the date with “draft”
VersionThe document version number.
Amendment HistoryThis contains the version number, date and summary of the changes and sections that have been changed. It also includes the document review details such as reviewer’s name and date.

2.7              Document production Roles and Responsibilities

2.7.1          Document owner

The document owner is responsible for the production of GSOC documents and subsequent changes to existing documents for release into the GSOC SharePoint. Document owners can delegate responsibility for production of new documents or change requests to nominated representatives, either on a permanent basis and/or during absences (e.g. holidays). The document owner must pass the document to the Head of GSOC for it be approved.

2.7.2          Contributor

Contributors are the subject matter experts (SME) in the relevant subject of the document or other admissible parties who are assigned by the document owner to produce or amend documents. There may be one or more contributors to a document and the contributor(s) may vary during the lifetime of the document. The contributors must work with the Document owner and the reviewer(s) to complete the document change.

2.7.3          Reviewer

GSOC documentation should be reviewed by a second person other than the creator. Reviewers should evaluate draft documentation and agree when they are suitable for authorisation and release. Reviewers represent users of the documentation; suppliers to the processes it describes; and customers affected by the products resulting from its use.

3                  Appendices

Appendix 1 – GSOC Documents

ReferenceDocument Name
AD_OP_01Service Architecture
Business Continuity Plan / Disaster Recovery Plan
Service Design
Grade Behaviours
Risks and Decisions Log
Access Request Form
Customer Satisfaction Survey Form
Capacity Management Plan
CO_CM_01GSOC Narrative & Key Messages
CO_FN_01GSOC Financial Tracker
CO_FN_02GSOC Cost Model
CO_IG_01Audit report template
CO_IG_02MF Feedback template
CO_IN_01Metrics/KPI Documentation/Definition (Use from Governance Model)
CO_IN_02Threat Priority Matrix (1)
CO_IN_03Dark Line Log (Audit Trail)
CO_IS_01BCM/DR Actions memory aid
CO_IS_02BCM/DR Call Out Roster
CO_IS_03Change Request template
CO_LG_01Service Level Agreement Template
CO_LG_02Approved supplier List
CO_LG_03GSOC Equipment Maintenance Care Log
CO_LG_04Asset Inventory Log Register
CO_LG_05Health & Safety Log
CO_OP_01MF Consent to Monitor
CO_OP_02MF Onboarding template
CO_OP_03Service Request template
CO_OP_04Service Catalogue
CO_PS_01Training Catalogue (inc. Training and Qualification Process)
CO_PS_02GSOC Minibio
CO_PS_03GSOC Job Descriptions
CO_PS_04Skills Matrix (Resource specific)
CO_PS_06Resource Onboarding Pack
IT Support Policy
PO_CM_01External Communications and Media Policy
PO_FN_01Finance Policy
PO_IG_01Audit and Security Testing Policy
PO_IG_02Continual Service Improvement Policy
PO_IG_03Document Management Policy
PO_IN_01Threat Intelligence Policy
PO_IN_02Dark Line Policy
PO_LG_01GSOC Equipment Policy
PO_OP_01GSOC Authority Policy
PO_OP_02Security Policy
PO_OP_03IT Incident Management Policy
PO_OP_05Data Breach Policy
PO_OP_06Security Incident Management Policy (inc. Global Incident Responsibility Policy)
PO_OP_07Change Management Policy
PO_PS_01HR Policy
PO_PS_02Training Policy
Resource Off-boarding Process
PR_CM_01Crisis Communication (Management) Plan
PR_CM_02GSOC Communications Process (Communications Roster)
PR_FN_01Supplier Financing & Procurement (6)
PR_IG_01Document Management Process
PR_IG_04Code of Conduct
PR_IN_01Detection Optimisation Process
PR_IN_02Intelligence Management Process (inc. Threat Intel Lifecycle)
PR_IN_03Reporting Process (inc. Report Process, Member Firm Notification Process, Service Report Generation Process)
PR_IS_01SECOPS Process Customization Definition
PR_IS_02Change Management Process
PR_IS_03Test Management (6)
PR_IS_04Disaster Recovery Plan (6)
PR_IS_05Backup plans (6)
PR_IS_06Request Management Process (Service change, RFI, RFC)
PR_IS_06Supplier Management process (6)
PR_LG_02GSOC Equipment Maintenance Process (6)
PR_LG_03Health & Safety process (6)
PR_OP_01Content Management Process
PR_OP_02Triage Process
PR_OP_03SOC Escalation Process (inc. Incident Response Process, MF Escalation Process)
PR_OP_04MF Onboarding Process (analyst, assets)
PR_OP_05Data Handling & Privacy Process
PR_OP_07Service Management Process (inc. Continual Improvement Process, SOC Environmental Process)
PR_OP_11Risk Management process (6)
PR_OP_12Portal IAM Process (5)
PR_OP_14Dark Line / Nonattrib Process
PR_OP_15Client Context Management Process
PR_OP_16Investigation Process
PR_OP_17Security Incident Management Process
PR_OP_20Discovery Process (inc. Retrospective Detection Process, Trend Analysis and Querying)
PR_OP_24Problem Management
PR_OP_25Service Desk Management
PR_OP_26Patch Management
PR_OP_27Vulnerability Management
PR_OP_28IT Incident Management Process (GSOC only – maybe rename as GSOC Platform Management)
PR_PS_01Resource Onboarding (GSOC)
PR_PS_02Shift Management Process (inc. Shift Handover Process)
PR_PS_03Career Management (inc. Planning)
RD_IG_01GSOC Baseline Reqs.