Skip to content
AuditFront
CQ-5 Tech Due Diligence

Tech Due Diligence CQ-5: Code Documentation and Developer Onboarding

What This Control Requires

The assessor evaluates the quality and comprehensiveness of technical documentation, including code-level documentation, architecture decision records, API documentation, runbooks, and the effectiveness of the developer onboarding process.

In Plain Language

If your best engineer left tomorrow, how much institutional knowledge walks out the door with them? That is the core question behind this control. Good documentation means new team members can understand and contribute to the codebase within days, not weeks. Operational knowledge lives in runbooks rather than in people's heads. Architecture decisions are recorded with their rationale so nobody has to guess why things were built a certain way. Expect the assessor to look across multiple layers: inline comments and READMEs at the code level, system diagrams and data flow documentation at the architecture level, endpoint specs and schemas for APIs, runbooks and deployment procedures for operations, and Architecture Decision Records (ADRs) for the reasoning behind key choices. Developer onboarding is the practical litmus test. If a competent mid-level hire takes weeks to ship their first meaningful change, that points to either poor documentation or unnecessary complexity. A smooth onboarding process shows that knowledge has been properly externalised and the codebase is genuinely approachable.

How to Implement

Start with a developer onboarding guide that takes someone from zero to productive. Cover development environment setup (ideally automated with a single command), codebase orientation, architecture overview with diagrams, your development workflow, key business domain concepts, and common debugging procedures. Keep architecture documentation lightweight but useful. At minimum, maintain a high-level system diagram showing major components and their interactions, data flow diagrams for critical user journeys, an infrastructure diagram of your deployment topology, and ADRs for significant technical decisions. Generate API documentation from code wherever possible. Tools like Swagger/OpenAPI for REST, GraphQL introspection, or Protocol Buffers definitions for gRPC keep docs in sync with the actual implementation automatically. Write operational runbooks for both routine and emergency procedures. Each one should cover when to use it, prerequisites, step-by-step instructions, expected outcomes, and what to do when things go sideways. Test runbooks periodically to make sure they still work. Make documentation a required part of your development process. Add it to PR checklists. Set the expectation that new features ship with documentation updates. Measure documentation quality practically: track new developer time-to-first-contribution, run periodic documentation reviews, check coverage of critical systems, and ask the team whether the docs are actually useful. Pick one documentation platform and stick with it. Stale, contradictory documentation scattered across multiple tools is worse than having no documentation at all.

Evidence Your Auditor Will Request

  • Developer onboarding guide or getting-started documentation
  • Architecture documentation with system diagrams
  • API documentation (auto-generated preferred)
  • Operational runbooks for key procedures
  • Time-to-productivity metrics for recently onboarded developers

Common Mistakes

  • No onboarding documentation; new developers rely on verbal knowledge transfer
  • Architecture documentation is outdated and no longer reflects the actual system
  • API documentation exists but is out of sync with the implementation
  • Operational knowledge exists only in the heads of specific team members
  • Documentation scattered across multiple tools with no clear organisation

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.37 Related

Frequently Asked Questions

What is a good time-to-first-contribution for new developers?
With solid documentation and onboarding, a mid-level developer should ship a small but meaningful change within their first week. If it consistently takes more than two to three weeks, that is a strong signal of either documentation gaps or unnecessary codebase complexity.
Are Architecture Decision Records (ADRs) really necessary?
They are one of the highest-value, lowest-effort documentation practices you can adopt. ADRs capture not just what was decided, but why - which is exactly what assessors and future team members need. Without them, people end up guessing at the reasoning behind architectural choices, and that leads to poor decisions down the line.

Track Tech Due Diligence compliance in one place

AuditFront helps you manage every Tech Due Diligence control, collect evidence, and stay audit-ready.

Start Free Assessment