Document Control Log Guide

Version history, owners, and review dates for every policy and standard in your SOC 2 program.

document control log template preview (COR-013)
.xlsx COR-013

Document Control and Version Log

Version history, owners, and review dates for every policy and standard in your SOC 2 program.

Get SOC 2 Phase 2 Implementation Kit
How to Fill Out This Document Control and Version Log

Document control log template — Register each COR/SOC policy when published. Auditors sample this log to confirm annual review and version control.

Recommended Owner: Compliance or Security | Doc owners update their rows

What this file is for

Document purpose

Version control for all policies and standards (CC5.3).

In your program: Register every COR/SOC/HR doc when approved; auditors sample this log.

Before you start

Getting Started

  • Enable Editing; start on the Instructions sheet for tab order and version metadata.
  • Use dropdowns only in validated columns; delete gray sample rows before auditor samples.
  • Check Dashboard after data entry — formulas summarize completion and risk.

Document tour

Fill out the file section by section

Work through the sections below in order. Each block matches a heading or tab in the downloaded COR-013 file.

Instructions
  • Document ID must match filename (e.g., COR-007).
  • After editing Instructions, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Document Register
  • Columns: doc name, version, owner, approval date, next review, status.
  • Link to signed PDF or SharePoint path in evidence column if provided.

Document ID

  • Assign stable Document ID values — never reuse an ID for a different record in the audit period.
  • Cross-reference IDs in related toolkit docs (SOC-021, COR-014, HR-001, etc.).

Document Name

  • Assign stable Document Name values — never reuse an ID for a different record in the audit period.
  • Cross-reference IDs in related toolkit docs (SOC-021, COR-014, HR-001, etc.).

Type

  • Fill Type for every in-scope row on Document Register — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Owner

  • Name a person (not a team inbox) in Owner — auditors interview control owners.
  • Must match COR-005 org chart or SOC-024 control owner assignments where applicable.

Current Version

  • Fill Current Version for every in-scope row on Document Register — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Effective Date

  • Use consistent Effective Date format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
  • Dates must match supporting evidence — auditors compare log timestamps to HR records.

Last Review

  • Use consistent Last Review format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
  • Dates must match supporting evidence — auditors compare log timestamps to HR records.

Next Review

  • Use consistent Next Review format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
  • Dates must match supporting evidence — auditors compare log timestamps to HR records.

Status

  • Select Status from the dropdown — free text breaks Dashboard formulas and heatmaps.
  • Update through the lifecycle (Not Started → In Progress → Complete/Closed) before sign-off.

Storage Location

  • Fill Storage Location for every in-scope row on Document Register — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Approved By

  • Fill Approved By for every in-scope row on Document Register — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Version

  • Fill Version for every in-scope row on Document Register — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Change Date

  • Use consistent Change Date format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
  • Dates must match supporting evidence — auditors compare log timestamps to HR records.

Author

  • Fill Author for every in-scope row on Document Register — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Change Summary

  • Fill Change Summary for every in-scope row on Document Register — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Approver

  • Name a person (not a team inbox) in Approver — auditors interview control owners.
  • Must match COR-005 org chart or SOC-024 control owner assignments where applicable.
Version History
  • Log each published version: date, author, summary of change, approval reference.
  • Auditors sample this tab against COR/SOC policy footers and COR-013 register rows.

Document ID

  • Assign stable Document ID values — never reuse an ID for a different record in the audit period.
  • Cross-reference IDs in related toolkit docs (SOC-021, COR-014, HR-001, etc.).

Version

  • Fill Version for every in-scope row on Version History — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Change Date

  • Use consistent Change Date format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
  • Dates must match supporting evidence — auditors compare log timestamps to HR records.

Author

  • Fill Author for every in-scope row on Version History — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Change Summary

  • Fill Change Summary for every in-scope row on Version History — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Approver

  • Name a person (not a team inbox) in Approver — auditors interview control owners.
  • Must match COR-005 org chart or SOC-024 control owner assignments where applicable.

Evidence Link

  • Fill Evidence Link with a URL, ticket, or export path auditors can open — not a local-only path.
  • Re-verify links before fieldwork; broken evidence links are a common audit finding.

Quality check

Before You Finalize

  • Every published policy has a row with version, owner, review date.
  • No “draft” rows without status — mark deprecated docs inactive.

Evidence

Where to Store It

  • Store the completed file in your compliance evidence folder (signed PDF for policies).
  • Register the document in COR-013 with version, owner, and next review date.
  • Link the file from your evidence index or SOC-005 project plan when you use Phase 3 trackers.

Next Steps

After customizing Document Control and Version Log:

  1. 1Complete the file: Finish every section or tab in COR-013.
  2. 2Register: Add version and owner to COR-013.
  3. 3Operationalize: Train owners listed in the document.
  4. 4Evidence: Keep exports auditors can sample during fieldwork.
Get SOC 2 Phase 2 Implementation Kit See what’s included