top of page

ISO27001:2022 - A5.37 – Documented operating procedures

ISO27001 isn’t always clear about what it expects, and you can often be confused by the name of the control. However this isn’t the case with this control – Documented operating procedures are necessary, but what in fact do you need to put in place?


What does the standard require?

The standard states that “Operating procedures for information processing facilities shall be documented and made available to personnel who need them.” (A5.37 – Documented operating procedures).


Note that it talks of processing facilities so this is not just technical infrastructure we’re looking for. It could be processes related to your physical premises too.


Why is this required?

If having ISO27001 is about doing the right things, having documented operating procedures is about doing the right things, consistently.


Without having documented procedures, you’re at the whim of the person carrying out the task.  For example, when performing the configuration of a new laptop, how can you be certain that all the requisite security software and controls are implemented, if two or three people are doing the task?


Without documented procedures the outcome or output from a process will be inconsistent, which can lead to failure or breaches to occur.


What the auditor is looking for

It’s important to say here that the auditor isn’t looking for documented procedures for everything you do, This isn’t an ISO9001 audit. But they will want to see procedures related to information security. For example you might look to have the following procedures documented;


  • Back-up procedures

  • Patch Management

  • Vulnerability Assessments and Penetration Tests

  • Logging and monitoring

  • Auditing

  • Destruction of media

  • Configuration of hardware and software

  • Allocation of keys and access to premises

  • Maintenance of the HVAC system

  • Maintenance of Fire alarms

  • Due diligence related to Suppliers and vendors


Some or all of the above may be relevant to you, but you need to consider what procedures you have in your business, and then document them to a level where someone (in your business) can follow them.


What do you need to do?

As stated above, you need to consider what procedures are carried out in your business which you need confidence in their execution.  Are you comfortable that Patch Management is applied in a uniformed way? What about the onboarding process? It doesn’t all have to be technical in nature, as there may be other processes that you need to document, such as the supplier management process. As the control is focused on processing facilities, your operating procedures could also include details on how to test the fire or intruder alarms.


Speak to the person responsible for these processes and ask them to talk your through the steps, and document each step in the process. 


The documentation you create should be relevant and documented to a degree that someone unfamiliar with the process, can follow.  You don’t have to document the process in a lengthy word document. If you prefer, you might develop process maps that are easier to follow for your teams.


Q & A

How many procedures do I need?

Again, this depends on the size and complexity of your business.  What you are looking for are procedures that provides you (and the business) with confidence that the process will be carried out correctly, and consistently no matter who carries it out.  Take a look at the list above and start there. If there are other processes that you need, then consider adding these at a later point.


Difficulty rating

We rate this a 2 out of 5 difficulty rating. Although this control is not technically challenging, you are going to need to speak to your business about these core processes, and ask them searching questions about the procedures they’re describing.  Therefore, it is easier if you have some technical understanding and skills so that you can validate their statements and the process before committing it to paper.


More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.


For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.


9 views0 comments


bottom of page