ISO 27001 Annex A 5.37: Documented Operating Procedures

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.37 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.37 Documented Operating Procedures

ISO 27001 Annex A 5.37 is a control that requires organizations to create, maintain, and follow detailed written instructions for all information security tasks. Its primary goal is to minimise the risk of human error and ensure that critical security processes, like backups and system updates, are performed consistently regardless of who is doing the work.

Core requirements for compliance include:

Standard Operating Procedures (SOPs): You must document “recipes” for critical tasks (e.g., user offboarding, patch management, and error handling).
Accessibility: Procedures must be readily available to the specific staff members who need them; they cannot be hidden in a generic policy folder.
Change Management: Documents must be treated as living records. They require review (at least annually) and must be updated whenever systems change.
Audit Verification: Auditors will test that these documents are not just written, but actively used and accurate to the current technical environment.

Essential SOP Checklist

Procedure Name	Audit Priority	Compliance Justification	ISO 27001:2022 Control
New User Setup	High	Enforces the principle of least privilege during account provisioning.	5.18 (Access rights)
Leaver Process	Critical	Ensures immediate revocation of logical and physical access rights.	6.5 (Termination responsibilities)
Backup & Restore	Critical	Verifies data availability through mandatory restoration testing.	8.13 (Information backup)
Patch Management	High	Standardises the identification and remediation of technical vulnerabilities.	8.8 (Technical vulnerabilities)
Antivirus Response	Medium	Codifies the technical response to malware alerts and endpoint threats.	8.7 (Protection against malware)
Change Management	High	Ensures formal approval and impact assessment for system modifications.	8.32 (Change management)

Understanding Control 5.37: The Cornerstone of a Mature ISMS
Why Documented Operating Procedures are Crucial
Applicability for Modern Businesses
ISO 27100 Annex A 5.37 Implementation Guide
How to implement ISO 27001 Annex A 5.37
What an ISO 27001 Auditor Will Look For
- Audit Readiness Checklist
Top 3 Common Mistakes to Avoid
Information Security Standards that need ISO 27001 Annex A 5.37
Fast Track ISO 27001 Annex A 5.37 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.37 FAQ
Relevant ISO 27001:2022 controls
Further Reading
Matrix of ISO 27001 Controls and Attribute values

Understanding Control 5.37: The Cornerstone of a Mature ISMS

Moving from ad-hoc, informal processes to a structured, documented framework is a critical step in maturing an organization’s security posture. Control 5.37 provides the framework for this essential transition, transforming tribal knowledge into a durable corporate asset.

The official requirement of ISO 27001:2022 Annex A 5.37 states:

“Operating procedures for information processing facilities should be documented and made available to personnel who need them.”

The core purpose is to create a repeatable operational environment. This removes ambiguity and reliance on individual memory, a crucial factor for scalable security.

Evolution: 2013 vs 2022

The current version (ISO 27001:2022) is an evolution of the previous Control 12.1.1. While the 2013 version focused heavily on specific technical IT functions (like backups and startup procedures), the 2022 update expands the scope to cover all generalized operational activities related to information security.

Watch the ISO 27001 Annex A 5.37 Tutorial

In this video I show you how to implement ISO 27001 Annex A 5.37 and how to pass the audit.

ISO 27001 Annex A 5.37 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.37 Documented Operating Procedures. The podcast explores what it is, why it is important and the path to compliance.

Why Documented Operating Procedures are Crucial

Consistency and Reduced Errors: Uniformity is the best defense against human error.
Clarity and Accountability: Defines who is responsible for specific security tasks.
Simplified Training: SOPs serve as the primary training material for new hires.
Demonstrable Compliance: Bridges the gap between policy (what you say) and reality (what you do).
Operational Continuity: Ensures tasks continue correctly even when key staff are absent.

Applicability for Modern Businesses

While the control is universal, the application varies by industry. Tailor your documentation to your specific risks.

Business Vertical	Strategic Focus Areas	Standard Operating Procedure (SOP) Examples	ISO 27001:2022 Mapping
Small Businesses	Revenue processes & core protections.	New User Provisioning, Offsite Data Backups, Personnel Leaver Process.	5.37 (Operating Procedures)
Tech Startups	Securing Intellectual Property & Agile Development.	Secure SDLC Workflows, Vulnerability Remediation, Cloud Environment Hardening.	8.25 (Secure Development)
AI Companies	Large Datasets & ML Model Integrity.	Data Anonymisation, AI Model Weights Security, Training Data Sanitisation.	8.11 (Data Masking)

Small Businesses: You can use simple procedures for things like data backup, protecting customer information, and handling employee access.
Tech Startups: For you, it’s all about securing your code, customer data, and intellectual property. Procedures for secure development and handling sensitive data are key.
AI Companies: You’re dealing with huge amounts of data. You’ll need procedures for data handling, privacy, and ensuring your AI models are secure and fair.

ISO 27100 Annex A 5.37 Implementation Guide

The headline guidance is, document all of your process and procedures. Do it to a level that is appropriate to you. Consider documenting common exception steps or steps in the process when the process does not go as intended.

1. Identify When Procedures Are Needed

You need to start creating these procedures during the planning and implementation phase of your ISO 27001 Information Security Management System (ISMS). They’re a core part of building a robust security framework.

The standard gives examples such as

when a procedure is performed by many people and needs to be done in the same way
when something is performed rarely and can be forgotten when it is needed again
when you do something new and if not done correctly it will create a risk
before someone else is taking on the procedure

2. Document Procedures

You need to document every process that you do for information security. The list is long. Take every process that you do for information security and document it. The standard provides examples which are basically the processes and procedures of the standard. The following is the bare minimum:

document secure installation and configuration
document processing and handling of information, include manual and automatic methods
document backups and resilience
document scheduling requirements
document interdependencies between systems
document instructions for handling errors
document support and escalation contacts
document storage media handling
document restart and recovery procedures
document the management of audit logs, system logs, video monitoring, audit trails
document capacity management
document maintenance

Essential SOP Checklist

Procedure Name	Priority	Why?
New User Setup	High	Ensuring least privilege is applied every time.
Leaver Process	Critical	Ensuring access is revoked immediately.
Backup & Restore	Critical	Testing that data can be recovered (Auditor favorite).
Patch Management	High	How/When servers are updated.
Antivirus Response	Medium	What to do if a virus alert pops up.
Change Management	High	How to approve and deploy code changes.

3. Review, Approve, and Distribute

Drafts must be formally approved by management and stored in a central repository (e.g., SharePoint/Intranet) accessible to all staff.

4. Updating procedures

Update and review procedures as needed but at least annually. The standard does not say at least annually. But it will catch you out if you do not.

5. How to write procedures

Writing these procedures is a team effort. You should:

Keep it simple: Use plain language that anyone can understand.
Define the purpose: Explain why this procedure is important.
List the steps: Break down the task into clear, numbered steps.
Assign responsibilities: Make it clear who does what.
Get it approved: Have the right people sign off on the procedure.

6. Authorising changes to procedures

When you change something, that change needs to be authorised with some evidence that the authorisation took place.

How to implement ISO 27001 Annex A 5.37

Implementing ISO 27001 Annex A 5.37 requires moving beyond tribal knowledge to a formalised, documented operational environment. By codifying your technical processes, you ensure that security tasks are executed consistently, reducing the risk of human error and providing a verifiable audit trail for your Information Security Management System (ISMS).

1. Identify and Categorise Critical Information Processing Activities

Perform a comprehensive audit of your technical environment to determine which operational tasks require formal documentation based on risk and impact.

Review the Information Asset Register to identify systems that support critical business functions.
Identify high-risk activities such as backup management, system patching, and user access provisioning.
Document the interdependencies between different processing facilities to ensure end-to-end procedural coverage.

2. Formalise Technical Standard Operating Procedures (SOPs)

Draft detailed, step-by-step instructions for each identified activity, ensuring that the documentation is technical enough to be repeatable by authorised personnel.

Incorporate hardware and software configuration settings and specific installation instructions.
Document precise scheduling requirements for recurring tasks such as log reviews or vulnerability scans.
Define clear error handling procedures and escalation paths for when a process deviates from expected results.
Include specific instructions for handling information securely, referencing data classification labels.

3. Provision Secure Centralised Storage and Access Control

Establish a secure repository for your operating procedures that ensures availability to authorised staff while preventing unauthorised modification.

Utilise a version-controlled Document Management System (DMS) or a secure internal wiki.
Implement Role-Based Access Control (RBAC) to restrict “Write” permissions to designated process owners only.
Ensure that procedures are available even during a system outage (e.g., via a secure offline copy for disaster recovery).

4. Execute Formal Document Control and Versioning

Implement a management process to track changes and ensure that personnel are always using the most current version of a procedure.

Apply unique identifiers and version numbers to every operating procedure.
Formalise a sign-off process where a technical lead or the CISO approves new or updated documents.
Archive superseded versions to maintain a historical audit trail for compliance reviews.

5. Institutionalise Periodic Review and Testing

Regularise the review of procedures to verify that they remain accurate as your technical infrastructure evolves.

Conduct an annual review of all SOPs or trigger a review immediately following significant system changes.
Validate procedures through practical testing, such as “dry running” a restore from backup using the documented steps.
Update the ISMS Risk Register if procedural gaps are identified during testing or real-world security incidents.

What an ISO 27001 Auditor Will Look For

Audit Tip: Auditors don’t just want to see the document; they will ask your staff to find it. If your staff cannot locate the procedure in 2 minutes, you may receive a non-conformity.

Audit Readiness Checklist

[ ] Are procedures documented for key operational activities?
[ ] Do they include sufficient detail for consistent execution?
[ ] Is there evidence of management authorization?
[ ] Can staff demonstrate where to find them?
[ ] Is there a documented review schedule?

Top 3 Common Mistakes to Avoid

Written and Forgotten: Documents created for the audit and never updated.
Lack of Detail: High-level summaries instead of actionable steps.
Inaccessible: Buried in hidden folders where staff cannot find them.

The Toolkit vs. SaaS Reality Check: Why Ownership Matters

Feature	High Table ISO 27001 Toolkit	Online SaaS Platforms
Ownership	You own your documents forever (Word/Excel).	You rent access; stop paying, lose everything.
Cost	One-off fee.	Recurring monthly/annual subscriptions.
Simplicity	Zero learning curve (Standard Office files).	Requires learning complex proprietary software.

Information Security Standards that need ISO 27001 Annex A 5.37

The main standard that requires these procedures is, of course, ISO 27001. However, having good documentation is also a best practice for other security frameworks like NIST and SOC 2.

Fast Track ISO 27001 Annex A 5.37 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.37 (Documented operating procedures), the requirement is to create, maintain, and follow detailed written instructions for all information processing facilities. This control transforms “tribal knowledge” into a durable corporate asset, ensuring that critical security tasks, like user off boarding or backups, are performed consistently regardless of who is doing the work.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
SOP Ownership	Rents access to your operational “recipes”; if you cancel, your documented procedures and approval history vanish.	Permanent Assets: Fully editable Word/Excel SOP templates that you own and host on your own infrastructure.	A localized “User Offboarding SOP” defining specific account deletion steps for your internal cloud environment.
Operational Utility	Mandates rigid “procedure builders” that can be difficult for staff to access during system outages or 2:00 AM crashes.	Governance-First: Provides a standardized framework for documenting tasks your team already performs daily.	An “Essential SOP Checklist” proving that critical tasks like backups and patch management are formalized.
Cost Efficiency	Charges a “Document Count Tax” that increases costs as you document more critical security and IT tasks.	One-Off Fee: A single payment covers your operational governance for 5 procedures or 500.	Allocating budget to automation scripts or staff training rather than monthly “dashboard” subscription fees.
Strategy Freedom	Forces specific reporting formats that may not align with cloud-native architectures or automated DevOps pipelines.	100% Agnostic: Templates adapt to any workflow—manual, scripted, or fully automated—without technical limits.	The ability to evolve your IT operations and system architecture without reconfiguring a rigid SaaS compliance module.

Summary: For Annex A 5.37, the auditor wants to see that you have documented “recipes” for critical tasks and proof that your team can find and follow them. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.37 FAQ

What is ISO 27001 Annex A 5.37?

ISO 27001 Annex A 5.37 (updated from A.12.1.1 in the 2013 version) is an operational security control that mandates organisations to document and maintain operating procedures for all information processing activities.

It ensures that security tasks are performed consistently across the organisation.
It reduces the risk of human error and system failures.
It provides a technical baseline for auditing and compliance monitoring.
It covers everything from server backups and system updates to incident response steps.

Are documented operating procedures mandatory for ISO 27001?

Yes, documented operating procedures are mandatory under the ISO 27001:2022 standard for all critical information processing facilities and activities.

Auditors will look for these as evidence that the ISMS is operational.
Unwritten “tribal knowledge” is considered a risk and can result in non-conformity.
Documenting procedures is essential for meeting the requirements of Annex A 5.37.

What should be included in a documented operating procedure?

An ISO 27001-compliant operating procedure must include step-by-step technical instructions, defined roles and responsibilities, and clear escalation paths.

Hardware and software configuration steps.
Information processing and handling requirements.
Backup, recovery, and business continuity instructions.
Scheduling requirements and dependencies on other systems.
Error handling and incident management procedures.

What is the difference between a security policy and an operating procedure?

An Information Security Policy defines the high-level management direction and goals (“the what”), whereas an operating procedure provides specific technical instructions (“the how”).

Policy: “We must take daily backups of all financial data.”
Procedure: “Log into the backup server, select the ‘Finance’ job, and click run at 02:00.”
Policies are for governance; procedures are for daily execution.

How often should documented operating procedures be reviewed?

ISO 27001 operating procedures should be reviewed at least annually or whenever significant changes are made to the technical environment.

Reviews ensure instructions remain accurate as systems and software are updated.
Changes in personnel or internal roles may require updates to responsibility sections.
Testing procedures (like backup restoration) often triggers mandatory updates.

Where should operating procedures be stored for compliance?

Operating procedures must be stored in a centralised, secure location that is accessible to all authorised personnel who need them to perform their duties.

Common storage solutions include a secure Intranet, DMS (Document Management System), or a Version Control System (like Git).
Procedures should be subject to document control (Annex A 5.37 requires versioning).
Access must be restricted to prevent unauthorised modification or disclosure.

Relevant ISO 27001:2022 controls

Matrix of ISO 27001 Controls and Attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Availability	Protect	Asset management	Governance and ecosystem
Corrective	Confidentiality	Recover	Physical security	Protection
	Integrity		System and network security	Defence
			Application Security
			Secure configuration
			Identity and access management
			Threat and vulnerability management
			Continuity
			Information security event management

Application Security, Asset Management, Availability, Confidentiality, Continuity, Corrective, Defence, Governance and Ecosystem, Identity and Access Management, Information Security Event Management, Integrity, Physical Security, Preventive, Protect, Protection, Recover, Secure Configuration, System and Network Security, Threat and Vulnerability Management

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Annex A 5.37: A Practical Guide to Documented Operating Procedures

Table of contents