Skip to content
AuditFront
TEAM-6 Tech Due Diligence

Tech Due Diligence TEAM-6: Internal Documentation and Knowledge Base

What This Control Requires

The assessor evaluates the organisation's approach to preserving and sharing institutional knowledge, including internal wikis, decision documentation, process documentation, and the overall culture of documentation as a team practice.

In Plain Language

Good documentation is a force multiplier for engineering teams and a significant risk mitigator. When important decisions, processes, and domain knowledge live only in people's heads, you are one resignation away from losing them. During DD, we assess whether your organisation has a functioning knowledge base or wiki, whether critical topics are covered (architecture, processes, domain knowledge, vendor relationships), whether the documentation is current or stale, whether the team can actually find what they need, and whether documentation is a valued practice or a neglected afterthought. Documentation quality correlates strongly with broader engineering maturity. Teams that document well tend to have better code review practices, clearer processes, and stronger communication habits. We use documentation quality as a reliable signal of overall organisational discipline.

How to Implement

Set up a central knowledge base on a platform your team will actually use - Notion, Confluence, GitBook, or a docs-as-code approach with Markdown in Git. Organise it with a clear information architecture: engineering (architecture, coding standards, development environment setup), operations (runbooks, deployment procedures, incident response), product (domain glossary, feature specs, user research), process (development workflow, review process, release management), and decisions (Architecture Decision Records, technology evaluations). Embed documentation into your workflows so it becomes a habit rather than a chore. Include documentation updates in the definition of done for features. Require ADRs for significant technical decisions. Have new hires review documentation during onboarding and flag gaps they find. Schedule periodic review sessions to keep things current. Fight stale documentation actively. Out-of-date documentation is worse than none because it creates false confidence. Assign ownership for each documentation area, set periodic review schedules (quarterly for fast-changing areas), archive outdated content rather than leaving it in place, and set up reminders for documents that have not been reviewed within their cycle. Make documentation easy to find. Good content that nobody can locate is worthless. Implement full-text search, maintain a clear table of contents and navigation structure, cross-link related documents, and use tags or categories for browsing. Measure whether your documentation is working. Track coverage of critical areas (cross-reference with your bus factor assessment), how long it takes people to find information, who is contributing and how often, and what feedback new hires give about documentation quality during onboarding.

Evidence Your Auditor Will Request

  • Internal knowledge base with organised structure
  • Documentation covering critical systems, processes, and decisions
  • Evidence of documentation maintenance (recent updates, review history)
  • Documentation contribution metrics showing team participation
  • Onboarding feedback indicating documentation effectiveness

Common Mistakes

  • No central knowledge base; documentation scattered or non-existent
  • Documentation exists but is severely outdated and misleading
  • Documentation written during initial development but never maintained
  • Only the CTO or one senior engineer contributes to documentation
  • Documentation is write-only; created but never referenced or updated

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.37 Related

Frequently Asked Questions

Which documentation platform should we use?
The platform matters far less than the practice. Notion is popular with startups for its flexibility. Confluence fits well if you are already in the Jira ecosystem. Docs-as-code with Markdown in Git appeals to engineering teams who want documentation versioned alongside code. Pick whatever your team will actually use and maintain consistently.
How much documentation is enough?
Focus on high-value documentation first: architecture overview, operational runbooks, ADRs for key decisions, an onboarding guide, and a domain glossary. These cover the most common knowledge gaps. Avoid documenting obvious code behaviour. Instead, focus on the why and the how that are not apparent from reading the code itself.

Track Tech Due Diligence compliance in one place

AuditFront helps you manage every Tech Due Diligence control, collect evidence, and stay audit-ready.

Start Free Assessment