ISO 27001 Annex A 5.37 Audit Checklist

Q: 1. Operational Procedure Inventory Formalised

Verification Criteria: A master index or register identifies all operational tasks requiring documented procedures, specifically those related to system administration and information processing. Required Evidence: Master Document Index (MDI) or Standard Operating Procedure (SOP) Register within the Document Management System.

Q: 2. Procedural Technical Specificity Validated

Verification Criteria: Documented procedures contain granular, step-by-step instructions (including CLI commands, UI navigation paths, or script names) rather than high-level policy statements. Required Evidence: Sampled technical SOPs for system backup, server hardening, or firewall configuration changes.

Q: 3. Information Security Step Integration Verified

Verification Criteria: Mandatory security checkpoints, such as integrity checks, cryptographic verification, or secondary approvals, are embedded directly within the operational workflows. Required Evidence: Annotated operating procedures highlighting integrated security controls and verification stages.

Q: 4. Document Availability for Relevant Personnel Confirmed

Verification Criteria: Procedures are accessible to all intended users at the point of need, while access is restricted for those with no operational requirement. Required Evidence: Permissions report for the SOP repository (e.g. SharePoint or Confluence) showing alignment with the "Need-to-Know" principle.

Q: 5. Procedural Change Management Evidence Identified

Verification Criteria: Updates to operating procedures follow a formal review and approval process to ensure technical accuracy and security alignment. Required Evidence: Document version history logs or Change Request tickets linked to specific SOP modifications.

Q: 6. Backup and Restoration Playbooks Present

Verification Criteria: Specific operating procedures are documented for the execution of backup cycles and the technical restoration of data from archives. Required Evidence: Backup Schedule documentation and step-by-step Data Restoration Playbooks.

Q: 7. Monitoring and Logging Operational Standards Documented

Verification Criteria: Procedures define the specific events to be monitored, the threshold for alerts, and the subsequent manual response required by operations staff. Required Evidence: Security Operations Centre (SOC) Manual or System Monitoring Standard Operating Procedures.

Q: 8. Emergency and Out-of-Hours Procedures Validated

Verification Criteria: Operational instructions exist for handling system failures or security events during non-standard hours or emergency conditions. Required Evidence: On-call rotation manuals or Emergency System Handover procedures.

Q: 9. Third-Party Service Interaction Procedures Confirmed

Verification Criteria: Procedures define the requirements for interacting with vendor support, including the secure exchange of diagnostic data and remote access granting. Required Evidence: Vendor Management SOP or External Support Escalation Matrix.

Q: 10. Periodic Procedural Review Records Verified

Verification Criteria: Operating procedures are reviewed for technical accuracy and relevance at least annually or following significant architectural changes. Required Evidence: Document review logs or timestamped "Verified" status updates within the Document Management System.

Auditing Documented operating procedures is the technical verification of formal instructions governing information processing activities. The Primary Implementation Requirement mandates granular, step-by-step documentation for all operational tasks, yielding the Business Benefit of consistent security performance, reduced human error, and improved resilience during technical incidents or system failures.

1. Operational Procedure Inventory Formalised
2. Procedural Technical Specificity Validated
3. Information Security Step Integration Verified
4. Document Availability for Relevant Personnel Confirmed
5. Procedural Change Management Evidence Identified
6. Backup and Restoration Playbooks Present
7. Monitoring and Logging Operational Standards Documented
8. Emergency and Out-of-Hours Procedures Validated
9. Third-Party Service Interaction Procedures Confirmed
10. Periodic Procedural Review Records Verified

1. Operational Procedure Inventory Formalised

Verification Criteria: A master index or register identifies all operational tasks requiring documented procedures, specifically those related to system administration and information processing.

Required Evidence: Master Document Index (MDI) or Standard Operating Procedure (SOP) Register within the Document Management System.

Pass/Fail Test: If critical operational tasks (e.g. user account provisioning) exist without a corresponding entry in the document inventory, mark as Non-Compliant.

2. Procedural Technical Specificity Validated

Verification Criteria: Documented procedures contain granular, step-by-step instructions (including CLI commands, UI navigation paths, or script names) rather than high-level policy statements.

Required Evidence: Sampled technical SOPs for system backup, server hardening, or firewall configuration changes.

Pass/Fail Test: If the operating procedures only describe “what” should be achieved without detailing the “how” for technical implementation, mark as Non-Compliant.

3. Information Security Step Integration Verified

Verification Criteria: Mandatory security checkpoints, such as integrity checks, cryptographic verification, or secondary approvals, are embedded directly within the operational workflows.

Required Evidence: Annotated operating procedures highlighting integrated security controls and verification stages.

Pass/Fail Test: If a procedure describes a technical operation that intentionally bypasses or omits a mandatory security control defined in the Information Security Policy, mark as Non-Compliant.

ISO 27001 TOOLKIT: CONSULTANT EDITION

THE ULTIMATE PROFESSIONALS ISO 27001 TOOLKIT.

ISO 27001 Toolkit: Consultant Edition

DOWNLOAD DEMO

4. Document Availability for Relevant Personnel Confirmed

Verification Criteria: Procedures are accessible to all intended users at the point of need, while access is restricted for those with no operational requirement.

Required Evidence: Permissions report for the SOP repository (e.g. SharePoint or Confluence) showing alignment with the “Need-to-Know” principle.

Pass/Fail Test: If an operational administrator cannot access the required technical instructions to perform their role during an audit walkthrough, mark as Non-Compliant.

5. Procedural Change Management Evidence Identified

Verification Criteria: Updates to operating procedures follow a formal review and approval process to ensure technical accuracy and security alignment.

Required Evidence: Document version history logs or Change Request tickets linked to specific SOP modifications.

Pass/Fail Test: If a procedure has been modified in production without a recorded approval from the designated Process Owner or Security Lead, mark as Non-Compliant.

6. Backup and Restoration Playbooks Present

Verification Criteria: Specific operating procedures are documented for the execution of backup cycles and the technical restoration of data from archives.

Required Evidence: Backup Schedule documentation and step-by-step Data Restoration Playbooks.

Pass/Fail Test: If the organisation relies on “legacy knowledge” or unwritten administrator experience to perform a data restore rather than a documented procedure, mark as Non-Compliant.

7. Monitoring and Logging Operational Standards Documented

Verification Criteria: Procedures define the specific events to be monitored, the threshold for alerts, and the subsequent manual response required by operations staff.

Required Evidence: Security Operations Centre (SOC) Manual or System Monitoring Standard Operating Procedures.

Pass/Fail Test: If logs are being collected but no procedure exists to define how staff must respond to a “Critical” system alert, mark as Non-Compliant.

8. Emergency and Out-of-Hours Procedures Validated

Verification Criteria: Operational instructions exist for handling system failures or security events during non-standard hours or emergency conditions.

Required Evidence: On-call rotation manuals or Emergency System Handover procedures.

Pass/Fail Test: If a technical incident occurring at 3 AM has no documented out-of-hours response or escalation path, mark as Non-Compliant.

9. Third-Party Service Interaction Procedures Confirmed

Verification Criteria: Procedures define the requirements for interacting with vendor support, including the secure exchange of diagnostic data and remote access granting.

Required Evidence: Vendor Management SOP or External Support Escalation Matrix.

Pass/Fail Test: If there is no documented procedure for authenticating a third-party engineer before granting them privileged system access, mark as Non-Compliant.

10. Periodic Procedural Review Records Verified

Verification Criteria: Operating procedures are reviewed for technical accuracy and relevance at least annually or following significant architectural changes.

Required Evidence: Document review logs or timestamped “Verified” status updates within the Document Management System.

Pass/Fail Test: If an operating procedure describes a technical interface or system version that has been decommissioned for over six months, mark as Non-Compliant.

Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Documented SOPs	GRC platform identifies that a “Policy.pdf” is uploaded to the control.	The auditor must verify the file contains technical “how-to” steps, not just high-level management “intent”.
User Availability	SaaS tool shows the file is “Shared” globally.	Verify “Need-to-Know”. If a standard user can read admin-only restoration playbooks, the control fails on confidentiality.
Technical Accuracy	Tool flags the document as “Current” based on the upload date.	The auditor must witness an administrator follow the SOP. If the UI has changed and the SOP has not, the control is ineffective.
Approval Workflow	GRC tool records a “Manager Approval” click on a dashboard.	Verify the technical competence of the approver. Did they verify CLI commands or simply “rubber stamp” the document?
Training Alignment	Tool shows “User A” watched a training video.	Compare the video content to the SOP. If the training describes a different process than the documented procedure, it is non-compliant.
Emergency Steps	SaaS tool identifies an “Incident Plan” exists.	The auditor must verify that procedures are accessible offline. If the cloud is down, can staff reach the procedures needed to fix it?
Version Control	Tool identifies multiple versions in the history.	Check for “Shadow SOPs”. Verify that staff are not using local Desktop copies of outdated procedures instead of the GRC version.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents