4. Document Availability for Relevant Personnel Confirmed

Verification Criteria: Procedures are accessible to all intended users at the point of need, while access is restricted for those with no operational requirement. Required Evidence: Permissions report for the SOP repository (e.g. SharePoint or Confluence) showing alignment with the "Need-to-Know" principle.

5. Procedural Change Management Evidence Identified

Verification Criteria: Updates to operating procedures follow a formal review and approval process to ensure technical accuracy and security alignment. Required Evidence: Document version history logs or Change Request tickets linked to specific SOP modifications.

6. Backup and Restoration Playbooks Present

Verification Criteria: Specific operating procedures are documented for the execution of backup cycles and the technical restoration of data from archives. Required Evidence: Backup Schedule documentation and step-by-step Data Restoration Playbooks.

7. Monitoring and Logging Operational Standards Documented

Verification Criteria: Procedures define the specific events to be monitored, the threshold for alerts, and the subsequent manual response required by operations staff. Required Evidence: Security Operations Centre (SOC) Manual or System Monitoring Standard Operating Procedures.

8. Emergency and Out-of-Hours Procedures Validated

Verification Criteria: Operational instructions exist for handling system failures or security events during non-standard hours or emergency conditions. Required Evidence: On-call rotation manuals or Emergency System Handover procedures.

9. Third-Party Service Interaction Procedures Confirmed

Verification Criteria: Procedures define the requirements for interacting with vendor support, including the secure exchange of diagnostic data and remote access granting. Required Evidence: Vendor Management SOP or External Support Escalation Matrix.

10. Periodic Procedural Review Records Verified

Verification Criteria: Operating procedures are reviewed for technical accuracy and relevance at least annually or following significant architectural changes. Required Evidence: Document review logs or timestamped "Verified" status updates within the Document Management System.

ISO 27001 Annex A 5.37 Audit Checklist [+ Templates]

Q: 1. Operational Procedure Inventory Formalised

Verification Criteria: A master index or register identifies all operational tasks requiring documented procedures, specifically those related to system administration and information processing. Required Evidence: Master Document Index (MDI) or Standard Operating Procedure (SOP) Register within the Document Management System.

Q: 2. Procedural Technical Specificity Validated

Verification Criteria: Documented procedures contain granular, step-by-step instructions (including CLI commands, UI navigation paths, or script names) rather than high-level policy statements. Required Evidence: Sampled technical SOPs for system backup, server hardening, or firewall configuration changes.

Q: 3. Information Security Step Integration Verified

Verification Criteria: Mandatory security checkpoints, such as integrity checks, cryptographic verification, or secondary approvals, are embedded directly within the operational workflows. Required Evidence: Annotated operating procedures highlighting integrated security controls and verification stages.

In this ultimate how to audit guide to ISO 27001 Annex A 5.37 Documented operating procedures, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

1. Operational Procedure Inventory Formalised
2. Procedural Technical Specificity Validated
3. Information Security Step Integration Verified
4. Document Availability for Relevant Personnel Confirmed
5. Procedural Change Management Evidence Identified
6. Backup and Restoration Playbooks Present
7. Monitoring and Logging Operational Standards Documented
8. Emergency and Out-of-Hours Procedures Validated
9. Third-Party Service Interaction Procedures Confirmed
10. Periodic Procedural Review Records Verified

1. Operational Procedure Inventory Formalised

Auditing Documented operating procedures is the technical verification of formal instructions governing information processing activities. The Primary Implementation Requirement mandates granular, step-by-step documentation for all operational tasks, yielding the Business Benefit of consistent security performance, reduced human error, and improved resilience during technical incidents or system failures.

Verification Criteria: A master index or register identifies all operational tasks requiring documented procedures, specifically those related to system administration and information processing.

Required Evidence: Master Document Index (MDI) or Standard Operating Procedure (SOP) Register within the Document Management System.

Pass/Fail Test: If critical operational tasks (e.g. user account provisioning) exist without a corresponding entry in the document inventory, mark as Non-Compliant.

2. Procedural Technical Specificity Validated

Verification Criteria: Documented procedures contain granular, step-by-step instructions (including CLI commands, UI navigation paths, or script names) rather than high-level policy statements.

Required Evidence: Sampled technical SOPs for system backup, server hardening, or firewall configuration changes.

Pass/Fail Test: If the operating procedures only describe “what” should be achieved without detailing the “how” for technical implementation, mark as Non-Compliant.

3. Information Security Step Integration Verified

Verification Criteria: Mandatory security checkpoints, such as integrity checks, cryptographic verification, or secondary approvals, are embedded directly within the operational workflows.

Required Evidence: Annotated operating procedures highlighting integrated security controls and verification stages.

Pass/Fail Test: If a procedure describes a technical operation that intentionally bypasses or omits a mandatory security control defined in the Information Security Policy, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

Table of contents

1. Operational Procedure Inventory Formalised

2. Procedural Technical Specificity Validated

3. Information Security Step Integration Verified