In this ultimate how to implement guide to ISO 27001 Annex A 5.37 Documented Operating Procedures, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Identify Critical Operational Tasks
- 2. Standardise the Runbook Format
- 3. Document System Start-up and Shut-down
- 4. Detail Backup and Recovery Operations
- 5. Map Scheduled Automated Tasks
- 6. Define Error Handling and Escalation
- 7. Implement Configuration Management Guidelines
- 8. Enforce Version Control on Procedures
- 9. Segregate Operational Duties
- 10. Conduct the ‘Bus Factor’ Test
- ISO 27001 Annex A 5.37 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 5.37 is a critical operational mandate requiring the standardisation and documentation of IT procedures to ensure consistency and prevent knowledge loss. This control necessitates detailed runbooks for system start-up, data recovery, and maintenance, providing the business benefit of resilient operations and reduced dependence on key personnel.
ISO 27001 Annex A Documented Operating Procedures Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.37. This control requires the creation of detailed, step-by-step instructions for the correct and secure operation of information processing facilities, ensuring that critical technical knowledge is not lost with staff turnover.
1. Identify Critical Operational Tasks
Control Requirement: Determine which activities are essential for the continuous operation of systems. Required Implementation Step: Audit the daily, weekly, and monthly routine of your SysAdmin and DevOps teams. List every task required to “keep the lights on,” such as server patching, log review, database indexing, and certificate renewal. Do not assume knowledge; if it’s in a senior engineer’s head, it must be extracted.
Minimum Requirement: A prioritised list of at least 20 critical maintenance and operational tasks requiring documentation.
2. Standardise the Runbook Format
Control Requirement: Ensure procedures are consistent and easy to follow. Required Implementation Step: Abandon Microsoft Word. Create a standardised Markdown or Confluence template for “Runbooks”. This must include: Prerequisite Access, Estimated Time, Step-by-Step Commands, Expected Output, and Rollback Steps. Treat documentation as code, living where the engineers work.
Minimum Requirement: A standard Runbook template applied across the engineering department.
3. Document System Start-up and Shut-down
Control Requirement: Define the correct sequence for booting and stopping complex systems. Required Implementation Step: Document the exact dependency order for restarting your infrastructure (e.g., “Database must be healthy before API Gateway is started”). Include specific CLI commands or AWS Console actions. This is critical for disaster recovery situations where standard automation may have failed.
Minimum Requirement: Tested start/stop procedures for the primary production environment.
