diff --git a/examples/baseline-resources/README.md b/examples/baseline-resources/README.md
index b5137ae..7a1e048 100644
--- a/examples/baseline-resources/README.md
+++ b/examples/baseline-resources/README.md
@@ -6,4 +6,7 @@
 - enable guardduty
 - enable securityhub
 - disable s3 public access
-- require EBS encryption
\ No newline at end of file
+- require EBS encryption
+
+## If AWS organisation is in use
+If you are using AWS organisation, setup delegated admin for guardduty and securityhub. This allows centralised management.
diff --git a/examples/baseline-resources/main.tf b/examples/baseline-resources/main.tf
index 03daade..0572c7c 100644
--- a/examples/baseline-resources/main.tf
+++ b/examples/baseline-resources/main.tf
@@ -20,20 +20,28 @@ module "delete-default-vpcs" {
 }
 
 module "enable-aws-config" {
-  # enable aws config in all regions
+  # enable aws config in all regions and setup aggregation
   source = "../../modules/security_identity_compliance/aws_config"
   resource-prefix = local.resource-prefix
   default-tags  = local.default-tags
 }
 
 module "enable-guardduty" {
-  # enable guardduty
+  /* enable guardduty
+  If you are using AWS organisation, GD delegated admin should be configured
+  on the landing zone security account. This allows centralised management.
+  See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html
+  */
   source = "../../modules/security_identity_compliance/guardduty"
   default-tags = local.default-tags
 }
 
 module "enable-securityhub" {
-  # enable security hub
+  /* enable security hub
+  If you are using AWS organisation, SH deleted admin should be configured
+  on the landing zone security account. This allows centralised management.
+  https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html
+  */
   source = "../../modules/security_identity_compliance/security_hub"
 }