What is it?
ISO 27001 Annex A 5.37 is the requirement to document your processes and procedures. An ISO 27001 documented operating procedure is a written set of instructions that tells you how to perform a task securely. It’s like a recipe for a specific process, ensuring everyone does it the same way every time to keep your data protected. This helps you show that your company is serious about information security.
Table of contents
- What is it?
- Why is it important?
- What is the definition in the standard?
- How do you implement it?
- Why do you need it?
- Who needs it?
- When do you document procedures?
- How do you write procedures?
- What do you document?
- When do you update procedures?
- How does this apply to Small Businesses, Tech Startups, and AI Companies?
- How can the ISO 27001 toolkit help?
- What Information Security Standards Need These?
- What are the relevant ISO 27001:2022 controls?
- ISO 27001 Annex A 5.37 FAQ
- Further Reading
- Matrix of ISO 27001 Controls and Attribute values
Why is it important?
The purpose of ISO 27001 Annex A 5.37 Documented Operating Procedures is to ensure the correct and secure operation of information security processing facilities. It is about process maturity. Having a documented process that is repeatable and if repeated the results would be consistent. It isn’t saying you are not doing it. It is saying, document it.
What is the definition in the standard?
The ISO 27001 standard defines ISO 27001 Annex A 5.37 Documented Operating Procedures as:
Operating procedures for information processing facilities should be documented and made available to personnel who need them.
ISO 27001:2022 Annex A 5.37
How do you implement it?
The headline guidance is, document all of your process and procedures. Do it to a level that is appropriate to you. Consider documenting common exception steps or steps in the process when the process does not go as intended.
Why do you need it?
You need these procedures for a few important reasons:
- Consistency: They make sure everyone follows the same security rules.
- Clarity: They help you understand exactly what you need to do to stay secure.
- Compliance: They show auditors you have a solid plan for information security.
- Accountability: They make it clear who is responsible for each security task.
- Training: They are a great tool for training new staff on your security policies.
Who needs it?
If you’re aiming for ISO 27001 certification, you’ll definitely need these. This applies to any company, no matter the size or industry, that wants to prove its commitment to data security.
When do you document procedures?
You need to start creating these procedures during the planning and implementation phase of your ISO 27001 Information Security Management System (ISMS). They’re a core part of building a robust security framework.
The standard gives examples such as
- when a procedure is performed by many people and needs to be done in the same way
- when something is performed rarely and can be forgotten when it is needed again
- when you do something new and if not done correctly it will create a risk
- before someone else is taking on the procedure
How do you write procedures?
Writing these procedures is a team effort. You should:
- Keep it simple: Use plain language that anyone can understand.
- Define the purpose: Explain why this procedure is important.
- List the steps: Break down the task into clear, numbered steps.
- Assign responsibilities: Make it clear who does what.
- Get it approved: Have the right people sign off on the procedure.
What do you document?
You need to document every process that you do for information security. The standard provides examples which are basically the processes and procedures of the standard. The following is the bare minimum:
- document secure installation and configuration
- document processing and handling of information, include manual and automatic methods
- document backups and resilience
- document scheduling requirements
- document interdependencies between systems
- document instructions for handling errors
- document support and escalation contacts
- document storage media handling
- document restart and recovery procedures
- document the management of audit logs, system logs, video monitoring, audit trails
- document capacity management
- document maintenance
When do you update procedures?
Update and review procedures as needed but at least annually. The standard does not say at least annually. But it will catch you out if you do not.
When you change something, that change needs to be authorised with some evidence that the authorisation took place.
How does this apply to Small Businesses, Tech Startups, and AI Companies?
- Small Businesses: You can use simple procedures for things like data backup, protecting customer information, and handling employee access.
- Tech Startups: For you, it’s all about securing your code, customer data, and intellectual property. Procedures for secure development and handling sensitive data are key.
- AI Companies: You’re dealing with huge amounts of data. You’ll need procedures for data handling, privacy, and ensuring your AI models are secure and fair.
How can the ISO 27001 toolkit help?
The ISO 27001 toolkit is a collection of pre-made documents, templates, and guides. It’s like a shortcut to getting certified! It can save you hundreds of hours by providing you with the framework you need to create your own procedures, policies, and records.
What Information Security Standards Need These?
The main standard that requires these procedures is, of course, ISO 27001. However, having good documentation is also a best practice for other security frameworks like NIST and SOC 2.
What are the relevant ISO 27001:2022 controls?
- ISO 27001 Operational Planning and Control: Clause 8.1
- ISO 27001 Information Security Incident Management Planning and Preparation: Annex A 5.24
ISO 27001 Annex A 5.37 FAQ
No, just for the things that are important to your information security.
Sometimes, but a detailed procedure is better for complex tasks.
Try to break it down into smaller, easier-to-read sections.
At least once a year, or whenever something changes in your process.
No, it should be a team effort involving people from different parts of your company.
A policy is the “what,” and a procedure is the “how.”
It’s a big part of it, but you also need to train your people and use the right tools.
You can create simpler, more concise procedures.
Not necessarily, but it can make the process faster and easier.
They’ll want to see your documents and talk to your team about how you follow them.
You need to have a plan for what happens, like retraining or a discussion.
No, but digital documents are easier to manage and update.
Make them easy to access and hold regular training sessions.
Yes, good procedures for ISO 27001 will also help you meet requirements for other regulations.
Further Reading
How To Implement ISO 27001: A Step By Step Guide
ISO 27001 Change Management Policy Beginner’s Guide
ISO 27001 Logging and Monitoring Policy Beginner’s Guide
Matrix of ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Availability | Protect | Asset management | Governance and ecosystem |
| Corrective | Confidentiality | Recover | Physical security | Protection |
| Integrity | System and network security | Defence | ||
| Application Security | ||||
| Secure configuration | ||||
| Identity and access management | ||||
| Threat and vulnerability management | ||||
| Continuity | ||||
| Information security event management |
