What is it?
ISO 27001 Documented Operating Procedures are simply step-by-step instructions for tasks that are important for keeping your company’s information secure. Think of them as a recipe for a secure operation. These documents tell you how to do things correctly every time, so there are no mistakes that could lead to a data breach. They’re a core part of an Information Security Management System (ISMS) and they help you prove to auditors that you’re serious about security.
Table of contents
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- Are There Templates for These Procedures?
- Why Do You Need Them?
- When Do You Need Them?
- Who Needs to Write and Use These Procedures?
- Where Do You Keep These Procedures?
- How Do You Write Them?
- How Do You Implement Them?
- Examples of using it for small businesses
- Examples for Tech Startups
- Examples for AI Companies
- How Can an ISO 27001 Toolkit Help?
- Which Other Standards Need These Procedures?
- What are the relevant ISO 27001:2022 controls?
- ISO 27001 Documented Operating Procedures FAQ
Applicability to Small Businesses, Tech Startups, and AI Companies
Documented Operating Procedures is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.
- Small Businesses: Even if you’re a small company, you handle sensitive data like customer information or financial records. Procedures help you manage this data safely, protecting your reputation and your customers.
- Tech Startups: As a startup, you’re growing fast and need to build a strong foundation. Documenting your processes from the start prevents security issues down the line. It’s much easier to do it right the first time than to fix it later.
- AI Companies: You’re dealing with complex data and algorithms. Procedures are crucial for managing things like data handling, model training, and access control. They ensure your AI systems are secure and your data is protected from misuse.
Are There Templates for These Procedures?
Yes, you can find templates online! Using a template is a great starting point because it gives you a ready-made structure. You can then fill it in with your company’s specific details. This saves you a lot of time and ensures you don’t forget any important parts.
Why Do You Need Them?
You need these procedures to show you’re serious about information security. They help you:
- Be Compliant: Many laws and regulations (like GDPR) require you to have documented security practices.
- Prevent Mistakes: They ensure everyone on your team follows the same steps, reducing human error.
- Pass Audits: When an auditor comes to check your security, these documents are the proof that you’ve thought about and implemented security controls.
When Do You Need Them?
You should start thinking about these procedures as soon as you decide to get ISO 27001 certified. They are a fundamental requirement of the standard. It’s best to write them as you develop your security policies, so they align perfectly with your overall security strategy.
Who Needs to Write and Use These Procedures?
- Your team: Anyone who handles sensitive information or works with your IT systems needs to follow these procedures. This includes everyone from your IT manager to a new hire in customer support.
- You (or a designated person): The person responsible for your security (often a Security Officer or IT Manager) needs to lead the effort in writing and maintaining them.
Where Do You Keep These Procedures?
You should store them in a secure, easily accessible location. This could be a shared drive, a company wiki, or a document management system. The key is that they’re available to everyone who needs them, but only to those who are authorised to see them.
How Do You Write Them?
Writing these procedures is easy when you break it down:
- Define the Goal: What is the purpose of this procedure? (e.g., “To ensure all new hires have secure access to our systems.”)
- List the Steps: Write down each step in a logical order. Be as clear and simple as possible.
- Identify Roles: Who is responsible for each step?
- Include Details: Add important details like what tools to use, what forms to fill out, and what to do if something goes wrong.
How Do You Implement Them?
Implementation is all about making sure people use the procedures:
- Training: Train your staff on the new procedures. Don’t just give them a document; walk them through it.
- Communication: Announce new procedures and explain why they’re important.
- Review: Regularly review the procedures to make sure they’re still relevant and effective.
Examples of using it for small businesses
A small business might have a procedure for “Securely Backing Up Customer Data.” It would include steps like:
- Log in to the backup software.
- Select the customer data folder.
- Run a full backup.
- Verify the backup was successful.
- Store the backup in a secure, off-site location.
Examples for Tech Startups
A tech startup might have a procedure for “Onboarding New Employees.” This would include steps like:
- Create a secure user account.
- Assign the necessary permissions (using the “least privilege” rule).
- Provide mandatory security awareness training.
- Issue an encrypted laptop.
Examples for AI Companies
An AI company might have a procedure for “Managing Sensitive Training Data.” This procedure would outline:
- How to anonymize or pseudonymize data before training.
- Who has access to the raw data sets.
- How to securely delete data after the project is complete.
How Can an ISO 27001 Toolkit Help?
The ISO 27001 toolkit is a collection of pre-made documents, templates, and guides. It’s like a shortcut to getting certified! It can save you hundreds of hours by providing you with the framework you need to create your own procedures, policies, and records.
Which Other Standards Need These Procedures?
Many information security standards and regulations, like GDPR, HIPAA, and NIST, also require you to have documented procedures. Having your ISO 27001 procedures in place will often help you meet the requirements of these other standards too. It is also applicable to:
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
What are the relevant ISO 27001:2022 controls?
The main ISO 27001 control requirement is ISO 27001:2022 Annex A 5.37 Documented Operating Procedures.
Here are some controls from the latest ISO 27001 standard that are especially relevant for each company type:
For Small Businesses
- ISO 27001:2022 Annex A 8.9: Configuration Management – Managing secure settings for devices
- ISO 27001:2022 Annex A 5.22 Monitor, Review And Change Management Of Supplier Services – Keeping an eye on your systems and processes
- ISO 27001:2022 Annex A 8.13: Information Backup – Making sure you can recover data
For Tech Startups
- ISO 27001:2022 Annex A 8.1: User Endpoint Device Security – Securing laptops and phones
- ISO 27001:2022 Annex A 8.2: Privileged Access Rights – Limiting powerful access to only those who need it
- ISO 27001:2022 Annex A 8.25: Secure Development Life Cycle – Building security into your software from the start
For AI Companies
- ISO 27001:2022 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets -Defining how employees can use company data
- ISO 27001:2022 Annex A 5.15 Access Control – Controlling who can access your data sets
- ISO 27001:2022 Annex A 5.16 Identity Management – Managing user identities and credentials
ISO 27001 Documented Operating Procedures FAQ
No, just for tasks that are critical to information security.
As long as it needs to be to get the job done correctly, but keep it simple!
A senior manager or the person responsible for your ISMS.
You should review them at least once a year, or whenever a process changes.
This is a red flag! You need to retrain them and explain the importance.
Yes, a flow chart can often be a great way to visualise a process.
A policy says what you will do (“We will protect customer data”), and a procedure says how you will do it (“Here are the steps to back up data”).
Sometimes, but it’s often better to customise them for each department’s specific needs.
Yes, auditors will want to see that you have them and that you’re following them.
Yes, it’s good practice to keep a history of your changes.
Update it immediately and inform everyone of the change.
Absolutely! They are the ones doing the work, so their input is invaluable.
It can be, but it’s a critical investment in your company’s security.
A template is a great start, but you still need to customise it to fit your company.
Writing the procedures and then never using them!