The organisation should create and maintain documentation for the information systems used to provide its services. The documentation should describe the system's technical characteristics, its infrastructure and the security measures implemented for its protection. This should cover both technical and physical security measures, as well as the results of risk assessments.
Documentation may be maintained in paper or electronic form, including automatically generated system logs. The organisation must establish supervision over this documentation to ensure:
- access is restricted to authorised persons only;
- documents are protected against damage, destruction, loss, unauthorised access, misuse, or loss of integrity;
- document versions are marked to enable identification of changes.
Documentation must be retained for at least 2 years from the date of withdrawal from use or termination of service provision, counted from 1 January of the following year (unless the organisation is subject to separate archival legislation). Destruction of withdrawn documentation must be confirmed by a disposal protocol recording the date, designation of the destroyed documents, method of destruction, and the approving person's details. Disposal protocols are stored permanently.
.svg)
