Documented Operating Procedures - ISO 27001 Annex A Control

ISO 27001 Annex A 5.37

Documented procedures keep operations consistent when people change.

ISO 27001 Annex A 5.37 - Documented Operating Procedures

Information security depends on consistent operations. Patches need to be applied the same way every month. Backups need to follow the same routine. Access changes need to go through the same approval. Without documented procedures, operations rely on the memory of whoever is doing the work, which is fragile and falls apart when people change roles or leave.

The procedures need to cover the activities that affect information security. Typical examples include change management, patching and updates, backup and restore, incident response, user account administration, system monitoring, and the day-to-day administration of key systems. Each procedure should be detailed enough that someone with the right competence can follow it without needing to ask the original author.

The procedures need to be available to the people who need them. That means stored where the operations team can find them, version-controlled so the current version is clear, and reviewed periodically to make sure they still reflect current practice. Procedures that have not been updated in five years are usually wrong in places that matter.

The audit test for documented operating procedures is whether someone new to the team could follow them. If the procedure is half a page of vague references to the usual thing and assumes the reader already knows what that is, the procedure is not really documented. If it walks through the steps in enough detail that a competent person who has not done it before could complete it, the procedure is doing its job.

Practical Compliance Guidance

Operating procedures are managed under the documented information arrangements in the IMS1 Manual at section 7.5 and the wider operations described at section 8. The document register holds the list of controlled procedures.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.
F-IMS20 Document Register	The document register holding the master list of controlled documents including operating procedures. Use to track procedure ownership, version, status and review cycle.
PP-8-100 Information Security Policy Procedure	This information security policy-procedure includes all topic-specific information security policies requried by the ISO 27001 standard.
PP-0-0 Policy Procedure Blank Template	The blank policy-procedure template can be used for setting up new policy-procedures.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Which procedures need to be documented?

Any operating procedure that affects information security and needs to be performed consistently. Typical examples include change management, patching and updates, backup and restore, incident response, user account administration, system monitoring and the routine administration of key business systems. The list should be tailored to the organisation.

How detailed should procedures be?

Detailed enough that someone with the right competence could follow them without needing to ask the original author. Procedures aimed at experienced administrators can assume some technical knowledge. Procedures that may be followed by less experienced staff or as part of business continuity may need more step-by-step detail.

How often should procedures be reviewed?

At planned intervals as set in the document control arrangements, plus whenever significant changes to the underlying systems or processes occur. Annual review is common as a baseline, with more frequent review for procedures supporting fast-changing technology.

Further Resources