Home / ISO 27001 Explained / ISO 27001 Documented Operating Procedures: Your Complete FAQ Guide

ISO 27001 Documented Operating Procedures: Your Complete FAQ Guide

24/09/2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

What is it?

ISO 27001 Documented Operating Procedures are simply step-by-step instructions for tasks that are important for keeping your company’s information secure. Think of them as a recipe for a secure operation. These documents tell you how to do things correctly every time, so there are no mistakes that could lead to a data breach. They’re a core part of an Information Security Management System (ISMS) and they help you prove to auditors that you’re serious about security.

Applicability to Small Businesses, Tech Startups, and AI Companies

Documented Operating Procedures is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.

  • Small Businesses: Even if you’re a small company, you handle sensitive data like customer information or financial records. Procedures help you manage this data safely, protecting your reputation and your customers.
  • Tech Startups: As a startup, you’re growing fast and need to build a strong foundation. Documenting your processes from the start prevents security issues down the line. It’s much easier to do it right the first time than to fix it later.
  • AI Companies: You’re dealing with complex data and algorithms. Procedures are crucial for managing things like data handling, model training, and access control. They ensure your AI systems are secure and your data is protected from misuse.

Are There Templates for These Procedures?

Yes, you can find templates online! Using a template is a great starting point because it gives you a ready-made structure. You can then fill it in with your company’s specific details. This saves you a lot of time and ensures you don’t forget any important parts.

Why Do You Need Them?

You need these procedures to show you’re serious about information security. They help you:

  • Be Compliant: Many laws and regulations (like GDPR) require you to have documented security practices.
  • Prevent Mistakes: They ensure everyone on your team follows the same steps, reducing human error.
  • Pass Audits: When an auditor comes to check your security, these documents are the proof that you’ve thought about and implemented security controls.

When Do You Need Them?

You should start thinking about these procedures as soon as you decide to get ISO 27001 certified. They are a fundamental requirement of the standard. It’s best to write them as you develop your security policies, so they align perfectly with your overall security strategy.

Who Needs to Write and Use These Procedures?

  • Your team: Anyone who handles sensitive information or works with your IT systems needs to follow these procedures. This includes everyone from your IT manager to a new hire in customer support.
  • You (or a designated person): The person responsible for your security (often a Security Officer or IT Manager) needs to lead the effort in writing and maintaining them.

Where Do You Keep These Procedures?

You should store them in a secure, easily accessible location. This could be a shared drive, a company wiki, or a document management system. The key is that they’re available to everyone who needs them, but only to those who are authorised to see them.

How Do You Write Them?

Writing these procedures is easy when you break it down:

  1. Define the Goal: What is the purpose of this procedure? (e.g., “To ensure all new hires have secure access to our systems.”)
  2. List the Steps: Write down each step in a logical order. Be as clear and simple as possible.
  3. Identify Roles: Who is responsible for each step?
  4. Include Details: Add important details like what tools to use, what forms to fill out, and what to do if something goes wrong.

How Do You Implement Them?

Implementation is all about making sure people use the procedures:

  1. Training: Train your staff on the new procedures. Don’t just give them a document; walk them through it.
  2. Communication: Announce new procedures and explain why they’re important.
  3. Review: Regularly review the procedures to make sure they’re still relevant and effective.

Examples of using it for small businesses

A small business might have a procedure for “Securely Backing Up Customer Data.” It would include steps like:

  1. Log in to the backup software.
  2. Select the customer data folder.
  3. Run a full backup.
  4. Verify the backup was successful.
  5. Store the backup in a secure, off-site location.

Examples for Tech Startups

A tech startup might have a procedure for “Onboarding New Employees.” This would include steps like:

  1. Create a secure user account.
  2. Assign the necessary permissions (using the “least privilege” rule).
  3. Provide mandatory security awareness training.
  4. Issue an encrypted laptop.

Examples for AI Companies

An AI company might have a procedure for “Managing Sensitive Training Data.” This procedure would outline:

  1. How to anonymize or pseudonymize data before training.
  2. Who has access to the raw data sets.
  3. How to securely delete data after the project is complete.

How Can an ISO 27001 Toolkit Help?

The ISO 27001 toolkit is a collection of pre-made documents, templates, and guides. It’s like a shortcut to getting certified! It can save you hundreds of hours by providing you with the framework you need to create your own procedures, policies, and records.

ISO 27001 Toolkit

Which Other Standards Need These Procedures?

Many information security standards and regulations, like GDPRHIPAA, and NIST, also require you to have documented procedures. Having your ISO 27001 procedures in place will often help you meet the requirements of these other standards too. It is also applicable to:

  • CCPA (California Consumer Privacy Act)
  • DORA (Digital Operational Resilience Act)
  • NIS2 (Network and Information Security (NIS) Directive) 
  • SOC 2 (Service Organisation Control 2)

What are the relevant ISO 27001:2022 controls?

The main ISO 27001 control requirement is ISO 27001:2022 Annex A 5.37 Documented Operating Procedures.

Here are some controls from the latest ISO 27001 standard that are especially relevant for each company type:

For Small Businesses

For Tech Startups

For AI Companies

ISO 27001 Documented Operating Procedures FAQ

Do I need a procedure for everything? 

No, just for tasks that are critical to information security.

How long should a procedure be?

As long as it needs to be to get the job done correctly, but keep it simple!

Who approves the procedures?

A senior manager or the person responsible for your ISMS.

How often should I update them?

You should review them at least once a year, or whenever a process changes.

What if my team doesn’t follow the procedures?

This is a red flag! You need to retrain them and explain the importance.

Can I use a flow chart instead of a list? 

Yes, a flow chart can often be a great way to visualise a process.

What’s the difference between a policy and a procedure?

A policy says what you will do (“We will protect customer data”), and a procedure says how you will do it (“Here are the steps to back up data”).

Can I use the same procedure for different departments?

Sometimes, but it’s often better to customise them for each department’s specific needs.

Are these documents audited?

Yes, auditors will want to see that you have them and that you’re following them.

Do I need to store old versions?

Yes, it’s good practice to keep a history of your changes.

What if a procedure becomes outdated?

Update it immediately and inform everyone of the change.

Can my team help write them?

Absolutely! They are the ones doing the work, so their input is invaluable.

Is this a lot of work? 

It can be, but it’s a critical investment in your company’s security.

Will a template solve all my problems?

A template is a great start, but you still need to customise it to fit your company.

What’s the biggest mistake people make?

Writing the procedures and then never using them!

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.