A Simple Evidence Folder Structure for Small DIB Companies

Structure is the cheapest improvement you can make

Before you buy any tool or write any policy, there is one nearly free improvement available to most small DIB teams: agree on where evidence goes. A consistent folder structure means anyone can file or find an artifact without guessing, evidence stops hiding in personal folders, and onboarding a new person takes minutes instead of an afternoon.

This article shares a simple structure you can copy today. It is generic and educational — a blank starting point you adapt and fill in yourself.

A starting folder layout

Here is a straightforward top-level structure that maps to the kinds of evidence small DIB companies accumulate:

DIB_Evidence_Folder_Structure/
  00_Start_Here/
  01_Contracts_and_Scope/
  02_System_Description/
  03_Access_Control/
  04_MFA/
  05_Asset_Inventory/
  06_User_Access_Reviews/
  07_Backups_and_Recovery/
  08_Incident_Response/
  09_Vendor_Access/
  10_Physical_Security/
  11_Shop_Floor_CUI/
  12_POAM/
  13_Management_Review/

The numbering keeps the folders in a predictable order, and the names are plain enough that anyone — IT, a supervisor, the office manager — knows where something belongs.

What goes in each folder

A one-line description per folder is usually enough to get a team filing consistently:

• 00_Start_Here — a short read-me explaining how the structure works and who owns what.
• 01_Contracts_and_Scope — contract references, relevant clauses, and notes on what information you handle and where.
• 02_System_Description — a plain description of your systems, network, and boundary.
• 03_Access_Control — account lists, permission records, and access-related settings.
• 04_MFA — evidence that multi-factor authentication is in place.
• 05_Asset_Inventory — hardware and software inventories.
• 06_User_Access_Reviews — dated records of periodic access reviews.
• 07_Backups_and_Recovery — backup configuration and restore-test records.
• 08_Incident_Response — your plan, tabletop records, and any incident notes.
• 09_Vendor_Access — the vendor register, approvals, and session logs.
• 10_Physical_Security — visitor logs and facility-access records.
• 11_Shop_Floor_CUI — controlled-print, destruction, and clean-area records.
• 12_POAM — a tracker for items you have decided to work on, with target dates.
• 13_Management_Review — notes and sign-offs from periodic management reviews.

A few naming habits that pay off

The structure does most of the work, but a couple of small conventions keep it tidy:

• Date your files in a sortable format, such as 2026-06-10_access-review.pdf. Dated files sort themselves and make staleness obvious.
• Name an owner per folder. Put it right in the 00_Start_Here read-me so responsibility is never ambiguous.
• Keep one home per artifact. If a record could live in two folders, pick one and note the choice.

Download the free folder structure

You do not need anything fancy to start — a downloadable, blank version of this structure is available on this page at no cost and with no email required. It is a template you fill in yourself; DIBStack never receives anything you put in it.

When you want more than folders

A folder structure tells you where things go. It does not give you the checklists, workbooks, logs, and templates that fill those folders. When you are ready for the complete, standardized set — the inventories, review templates, trackers, and logs that drop straight into this layout — that is what the DIBStack Evidence Binder provides. It helps you organize evidence; it does not determine whether your organization is compliant.