Skip to content

Document management systems: Examination & certification AC-DMS

TÜV NORD offers testing and certification of document management systems (DML) to ensure audit-proof archiving. We examine technical and organizational aspects to meet legal requirements such as unalterable archiving and process traceability.

Contact us
Hände tippen auf einer Laptop-Tastatur, umgeben von schwebenden digitalen Ordner- und Dokumentensymbolen.

Use PK-DMS for audit-proof archiving of your electronic documents

Users of document management solutions (DMS) are subject to legal requirements for the audit-proof storage of documents. Typical core requirements are unalterable archiving, traceability of process flows and long-term formats. These are often accompanied by questions: Can the paper originals be destroyed after archiving? Does the archiving process run properly and on time? Can an archived document still be reproduced true to the original after 10 years?

TÜV NORD carries out technical and organisational tests and certifications tailored to the respective context in order to answer these and other questions about the revision security of your document management system.

Partial solutions - such as scanning processes or archiving systems - can also be certified, provided that the interfaces and functional delimitations are clearly documented.

What are AC-DMS?

The test criteria for document management solutions (AC-DMS) were developed jointly by the VOI (Association of Organisation and Information Systems) and TÜV NORD. They cover all legal and non-legal requirements for a document management solution.

The focus of the AC-DMS is on the legally compliant and audit-proof handling of digital documents of all kinds. They consider whether a DML fulfils the following criteria:

  • Regularity
  • completeness
  • Immutability
  • Availability and
  • traceability

If necessary, further regulations, guidelines and standards supplement the test basis.

The current, revised 5th edition of the PK-DML from 2019 can be ordered via the VOI website.

Target group for document management certification

Certification in accordance with AC-DMS is particularly suitable for:

  • Companies with a high volume of documents or legal retention obligations (e.g. administration, healthcare, industry) as well as companies that want to document their processes in a legally compliant, transparent and traceable manner
  • DMS software providers who want to build trust and differentiate themselves on the market

The advantages of certification at a glance

  • Increased evidential value of your electronic documents: A tested and certified document management solution (DMS) increases the evidential value of your archived documents.
  • Fulfilment of legal requirements: You comply with the legal requirements for capturing, processing & archiving documents.
  • Improved document management: A AC-DMS audit reveals potential for optimising the document management solution used.
  • Audit-proof documents: You prove that your electronic documents are stored securely and can no longer be changed.

Our services for you

Workshop

In preparation for the AC-DMS audit & certification, we offer a workshop. In this workshop, we present the test requirements to you and carry out an initial assessment of your DML.

Project support & analysis

We would be happy to support you in the audit-proof implementation of your document management system and identify possible optimisation potential for you

Evaluation of existing documentation

Our experts check whether your documentation and/or procedures meet the required test criteria for document management solutions.

Certification

As part of the certification process, we check whether your document management solution fulfils the test requirements. If the TÜV NORD certification body gives you a positive assessment, you will receive the desired certificate from us.

Your path to certified document management

1

Workshop

Presentation of the test requirements and initial assessment of the DMS / pre-assessment

2

Document review

Review & evaluation of the procedural documentation in relation to the selected set of criteria

3

On-site audit

Verification of compliance between the documentation & the DMS in operation

4

Certification

Evaluation of the test report with regard to the implementation of the test requirements. If the assessment is positive: issue of the certificate.

PK-DMS: Frequently Asked Questions

General

A document management system (DMS) is a specialised software solution that enables digital documents to be captured, managed, stored, retrieved and archived in an audit-proof manner. Modern DMS solutions integrate seamlessly into existing business processes and support companies in their digital transformation.

For successful PK-DML certification, DMS software should offer the following functions:

  • Immutable archiving
  • Versioning and logging of changes
  • User and rights management
  • Automated workflows
  • Compliance with retention periods
  • Export to long-term formats (e.g. PDF/A)

These functions are essential for meeting criteria such as traceability, compliance and availability in accordance with PK-DML.

The certification can be applied to all digital document management processes and the associated IT solutions.

Partial solutions can also be certified, e.g. just the scanning process, the management and processing of files and documents, or an archive.

In the case of partial solutions, the interfaces and functional boundaries must be clearly described in the procedural documentation.

If your DMS solution and the capture process meet the requirements for proper, complete and traceable digitisation in accordance with PK-DML and GoBD, paper documents can generally be destroyed after scanning. This is also referred to as ‘replacement scanning’ (BSI TR-03138 Replacement Scanning (RESISCAN)). An audit by TÜV NORD provides you with legal certainty in this regard.

Testing & Certification

It consists of

  • document review
  • an on-site implementation audit lasting several days
  • reporting

and certification.

Time required:

  • Approx. 6 months from project start to certification
  • Depending on the complexity of the solution and the number of sites to be audited

The basis of every PK-DML certification is the procedural documentation, which must clearly demonstrate how the IT solution meets the relevant assessment criteria. The documentation may also refer to other documents containing more detailed information, such as security concepts, process descriptions or work instructions.

A full document review is carried out for initial and recertification audits. During an on-site audit lasting several days, the implementation of the measures described in the documentation is verified.

As part of the surveillance audit, no full document review takes place; approximately 50% of the requirements of the PK-DML are checked on-site. The focus is on changes since the last audit.

The GoBD (Principles for Proper Accounting and the Retention of Digital Records) form a key legal basis for electronic archiving in Germany. A PK-DML audit assesses whether your DMS meets the requirements of the GoBD – for example, through audit-proof storage, logging and comprehensive procedural documentation.

The scope of the audit and certification is determined in consultation with the client; for example, sub-processes or all relevant workflows throughout the document lifecycle may be examined, e.g.:

  • Receipt and capture of documents
  • Classification and indexing
  • Approval and release processes
  • Archiving and access
  • Deletion upon expiry of retention periods

This involves assessing whether these processes are documented, technically secured and implemented in an audit-proof manner.

The certificate is issued by the certification body of TÜV NORD CERT GmbH.

The certificate is valid for three years. Initial certification takes place as part of an initial audit in year 1, followed by one surveillance audit in each of years 2 and 3, during which changes to the initial documentation are reviewed.

The document review comprises a maximum of two rounds, with the second version of the document being eligible for review and certification. The on-site audit comprises a maximum of one round eligible for review and certification.

Why we are a strong partner for you

  • Independence
    Our employees are not subject to any conflicts of interest, as they are not beholden to any product providers, system integrators, shareholders, interest groups or government agencies.
  • Expertise
    With us, you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS audits and penetration tests.
  • International network of experts
    Around the globe: We support you both nationally and internationally. Our global network of experts is at your side for all IT security issues.
  • Industry experience
    Thanks to our many years of experience in a wide range of sectors, we can serve companies from a wide range of industries.
  • Tailored to you
    We focus on customised services - and solutions - that are ideally suited to your current business situation and the goals you have set yourself.

Sie haben Fragen? Wir helfen gerne!

You may also be interested in

Person in Sicherheitskleidung steuert eine Drohne am Wasser, mit einem Strommast im Hintergrund.

IT baseline protection

With ISO 27001 certification based on IT baseline protection, companies and authorities can prove that their level of information security fulfils the requirements of the BSI and is holistically aligned.
Learn more
Gruppe von Personen arbeitet in einem modernen Büro mit Computern und Bildschirmen.

ISO 27001

With an ISO 27001-certified information security management system (ISMS), you can guarantee the availability, confidentiality and integrity of operational information, data and processes
Learn more
Person beugt sich über ein Waschbecken und schöpft Wasser aus einem Wasserhahn.

Critical infrastructures (KRITIS)

Every two years, KRITIS operators must prove that their IT security is state of the art in accordance with Section 8a of the BSI Act. We offer companies various services for providing evidence.
Learn more
Person in Sicherheitskleidung steuert eine Drohne am Wasser, mit einem Strommast im Hintergrund.

Digital health applications

In order for your digital health application to become a health insurance benefit, you must prove that it fulfils certain data protection and data security requirements. TÜVIT supports you in providing proof.
Learn more
Person in Sicherheitskleidung steuert eine Drohne am Wasser, mit einem Strommast im Hintergrund.

Certified video consultation

If video service providers wish to offer their services officially, they must prove that they fulfil the requirements for confidentiality, integrity and availability of personal data as well as information security.
Learn more