ISO 27001 Documented Operating Procedures (A 5.37)

ISO 27001 Annex A 5.37 is a security control that mandates organizations to establish, maintain, and enforce documented standard operating procedures for all critical information processing facilities. The core business benefit is ensuring operational continuity and significantly reducing human error during technical tasks.

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.37 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.37 Documented Operating Procedures

ISO 27001 Annex A 5.37 is a control that requires organizations to create, maintain, and follow detailed written instructions for all information security tasks. Its primary goal is to minimise the risk of human error and ensure that critical security processes, like backups and system updates, are performed consistently regardless of who is doing the work.

Core requirements for compliance include:

Standard Operating Procedures (SOPs): You must document “recipes” for critical tasks (e.g., user offboarding, patch management, and error handling).
Accessibility: Procedures must be readily available to the specific staff members who need them; they cannot be hidden in a generic policy folder.
Change Management: Documents must be treated as living records. They require review (at least annually) and must be updated whenever systems change.
Audit Verification: Auditors will test that these documents are not just written, but actively used and accurate to the current technical environment.

Essential SOP Checklist

Procedure Name	Audit Priority	Compliance Justification	ISO 27001:2022 Control
New User Setup	High	Enforces the principle of least privilege during account provisioning.	5.18 (Access rights)
Leaver Process	Critical	Ensures immediate revocation of logical and physical access rights.	6.5 (Termination responsibilities)
Backup & Restore	Critical	Verifies data availability through mandatory restoration testing.	8.13 (Information backup)
Patch Management	High	Standardises the identification and remediation of technical vulnerabilities.	8.8 (Technical vulnerabilities)
Antivirus Response	Medium	Codifies the technical response to malware alerts and endpoint threats.	8.7 (Protection against malware)
Change Management	High	Ensures formal approval and impact assessment for system modifications.	8.32 (Change management)

Understanding Control 5.37: The Cornerstone of a Mature ISMS
Why Documented Operating Procedures are Crucial
Applicability for Modern Businesses
ISO 27100 Annex A 5.37 Implementation Guide
How to implement ISO 27001 Annex A 5.37
How to Audit ISO 27001 Annex A 5.37
What an ISO 27001 Auditor Will Look For
Top 3 Common Mistakes to Avoid
Information Security Standards that need ISO 27001 Annex A 5.37
Fast Track ISO 27001 Annex A 5.37 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.37 Applicable Laws and Related Standards
ISO 27001 Annex A 5.37 FAQ
Relevant ISO 27001:2022 controls
Further Reading
Matrix of ISO 27001 Controls and Attribute values

Do it Yourself ISO 27001

Our Lead-Auditor verified templates with expert support have a 100% success rate.

Get the Auditor-Verified ISO 27001 Toolkit.

Fay Barker - High Table - ISO27001 Director

Understanding Control 5.37: The Cornerstone of a Mature ISMS

Moving from ad-hoc, informal processes to a structured, documented framework is a critical step in maturing an organization’s security posture. Control 5.37 provides the framework for this essential transition, transforming tribal knowledge into a durable corporate asset.

The official requirement of ISO 27001:2022 Annex A 5.37 states:

“Operating procedures for information processing facilities should be documented and made available to personnel who need them.”

The core purpose is to create a repeatable operational environment. This removes ambiguity and reliance on individual memory, a crucial factor for scalable security.

Evolution: 2013 vs 2022

The current version (ISO 27001:2022) is an evolution of the previous Control 12.1.1. While the 2013 version focused heavily on specific technical IT functions (like backups and startup procedures), the 2022 update expands the scope to cover all generalized operational activities related to information security.

Watch the ISO 27001 Annex A 5.37 Tutorial

In this video I show you how to implement ISO 27001 Annex A 5.37 and how to pass the audit.

ISO 27001 Annex A 5.37 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.37 Documented Operating Procedures. The podcast explores what it is, why it is important and the path to compliance.

Why Documented Operating Procedures are Crucial

Consistency and Reduced Errors: Uniformity is the best defense against human error.
Clarity and Accountability: Defines who is responsible for specific security tasks.
Simplified Training: SOPs serve as the primary training material for new hires.
Demonstrable Compliance: Bridges the gap between policy (what you say) and reality (what you do).
Operational Continuity: Ensures tasks continue correctly even when key staff are absent.

Applicability for Modern Businesses

While the control is universal, the application varies by industry. Tailor your documentation to your specific risks.

Business Vertical	Strategic Focus Areas	Standard Operating Procedure (SOP) Examples	ISO 27001:2022 Mapping
Small Businesses	Revenue processes & core protections.	New User Provisioning, Offsite Data Backups, Personnel Leaver Process.	5.37 (Operating Procedures)
Tech Startups	Securing Intellectual Property & Agile Development.	Secure SDLC Workflows, Vulnerability Remediation, Cloud Environment Hardening.	8.25 (Secure Development)
AI Companies	Large Datasets & ML Model Integrity.	Data Anonymisation, AI Model Weights Security, Training Data Sanitisation.	8.11 (Data Masking)

Small Businesses: You can use simple procedures for things like data backup, protecting customer information, and handling employee access.
Tech Startups: For you, it’s all about securing your code, customer data, and intellectual property. Procedures for secure development and handling sensitive data are key.
AI Companies: You’re dealing with huge amounts of data. You’ll need procedures for data handling, privacy, and ensuring your AI models are secure and fair.

ISO 27100 Annex A 5.37 Implementation Guide

The headline guidance is, document all of your process and procedures. Do it to a level that is appropriate to you. Consider documenting common exception steps or steps in the process when the process does not go as intended.

1. Identify When Procedures Are Needed

You need to start creating these procedures during the planning and implementation phase of your ISO 27001 Information Security Management System (ISMS). They’re a core part of building a robust security framework.

The standard gives examples such as

when a procedure is performed by many people and needs to be done in the same way
when something is performed rarely and can be forgotten when it is needed again
when you do something new and if not done correctly it will create a risk
before someone else is taking on the procedure

2. Document Procedures

You need to document every process that you do for information security. The list is long. Take every process that you do for information security and document it. The standard provides examples which are basically the processes and procedures of the standard. The following is the bare minimum:

document secure installation and configuration
document processing and handling of information, include manual and automatic methods
document backups and resilience
document scheduling requirements
document interdependencies between systems
document instructions for handling errors
document support and escalation contacts
document storage media handling
document restart and recovery procedures
document the management of audit logs, system logs, video monitoring, audit trails
document capacity management
document maintenance

Essential SOP Checklist

Procedure Name	Priority	Why?
New User Setup	High	Ensuring least privilege is applied every time.
Leaver Process	Critical	Ensuring access is revoked immediately.
Backup & Restore	Critical	Testing that data can be recovered (Auditor favorite).
Patch Management	High	How/When servers are updated.
Antivirus Response	Medium	What to do if a virus alert pops up.
Change Management	High	How to approve and deploy code changes.

3. Review, Approve, and Distribute

Drafts must be formally approved by management and stored in a central repository (e.g., SharePoint/Intranet) accessible to all staff.

4. Updating procedures

Update and review procedures as needed but at least annually. The standard does not say at least annually. But it will catch you out if you do not.

5. How to write procedures

Writing these procedures is a team effort. You should:

Keep it simple: Use plain language that anyone can understand.
Define the purpose: Explain why this procedure is important.
List the steps: Break down the task into clear, numbered steps.
Assign responsibilities: Make it clear who does what.
Get it approved: Have the right people sign off on the procedure.

6. Authorising changes to procedures

When you change something, that change needs to be authorised with some evidence that the authorisation took place.

How to implement ISO 27001 Annex A 5.37

Implementing ISO 27001 Annex A 5.37 ensures that your organisation maintains consistent, secure, and reliable information processing operations. As an ISO 27001 Lead Auditor, I look for technical evidence that procedures are not just written, but are actively utilised and governed. Follow these ten technical steps to formalise your documented operating procedures and satisfy rigorous audit requirements.

1. Provision an Inventory of Information Processing Facilities

Provision a comprehensive list of all systems and facilities within the organisational Asset Register: result: ensures all hardware, software, and cloud instances requiring documented instructions are identified and scoped.

Identify all critical infrastructure components, including servers, networks, and cloud storage.
Map technical dependencies between systems to determine where procedures must overlap.
Assign an “Asset Owner” for every facility to take responsibility for procedure maintenance.

2. Formalise Standard Operating Procedures for Routine Activities

Formalise detailed instructions for daily, weekly, and monthly system activities: result: establishes a consistent baseline for backups, system restarts, and scheduled technical maintenance.

Document specific commands and configurations for starting and stopping systems.
Define the exact steps for performing and verifying system backups.
Outline procedures for the handling and disposal of information media.

3. Implement Strict Version Control and Document Governance

Implement a formal document control system for all technical procedures: result: prevents the use of obsolete instructions and ensures a clear audit trail for management updates.

Utilise unique identifiers and version numbers for every operational document.
Record the date of the last review and the name of the individual who approved the content.
Automate the archiving of superseded documents to prevent operational errors.

4. Provision Restricted Access via Identity and Access Management

Provision restricted access to sensitive procedures using Identity and Access Management (IAM) roles: result: ensures that only authorised personnel with a legitimate business need can view or modify technical instructions.

Apply the Principle of Least Privilege to the centralised procedure repository.
Mandate Multi-Factor Authentication (MFA) for any user with “edit” permissions on procedures.
Audit access logs monthly to identify any unauthorised attempts to access sensitive technical data.

5. Formalise Emergency Operating and Incident Response Instructions

Formalise high-priority instructions for system failures or security incidents: result: enables rapid recovery and maintains system availability during unexpected outages or cyber attacks.

Create “Runbooks” for specific disaster recovery scenarios and known incident types.
Document contact details and escalation paths for third-party vendors and internal leads.
Ensure instructions include the technical steps for isolating compromised systems.

6. Audit Alignment with Legal and Regulatory Obligations

Audit the content of all operating procedures to ensure compliance with external mandates: result: confirms that technical operations meet statutory requirements like GDPR, NIS2, or DORA.

Review procedures for data handling to ensure they align with privacy legislation.
Verify that retention periods for logs and backups meet legal and contractual requirements.
Document how procedures satisfy specific clauses in the organisation’s Legal Register.

7. Provision a Centralised and Secure Source of Truth

Provision a single, secure digital repository for all documented procedures: result: facilitates timely retrieval by operational staff and provides a clear evidence base for auditors.

Ensure the repository is highly available and resilient to local system failures.
Organise the structure by system or department to allow for rapid navigation.
Enable full-text search capabilities to help staff find instructions during high-pressure events.

8. Formalise a Technical Review and Approval Workflow

Formalise a structured workflow for the creation and updating of procedures: result: ensures that all operating instructions remain technically accurate and aligned with organisational risk appetite.

Require a technical peer review for any change to core system procedures.
Obtain management sign-off for procedures that impact critical business continuity.
Schedule mandatory review cycles for every document, typically occurring every twelve months.

9. Implement Training and Competency Assessments

Implement formal training sessions for all staff expected to execute documented procedures: result: verifies that personnel can perform their duties correctly and securely in accordance with policy.

Conduct practical walkthroughs of procedures for new starters and contractors.
Document attendance and the results of competency tests to provide audit evidence.
Update training materials immediately following any significant change to technical instructions.

10. Audit Operational Effectiveness Through Drills and Spot Checks

Audit the practical application of documented procedures through regular technical drills: result: identifies gaps between theoretical instructions and operational reality for continual improvement.

Conduct “Tabletop” exercises to test the clarity and effectiveness of emergency procedures.
Perform unannounced spot checks to ensure staff are following the “live” version of instructions.
Record all drill findings in the Corrective Action Log to drive necessary technical updates.

I’ve sat in the Auditor’s chair for 20 years. These are the exact tools I use to guarantee a pass.

Get the Auditor-Proven Toolkit.

Stuart Barker - High Table - ISO27001 Director

How to Audit ISO 27001 Annex A 5.37

Auditing ISO 27001 Annex A 5.37 requires a technical deep dive into how your organisation maintains and executes its operational instructions. As a Lead Auditor, I look for evidence that your procedures are not merely static documents, but are accurate, accessible, and consistently applied to ensure system stability and security. Use this 10 step technical roadmap to ensure your documented operating procedures are robust enough to withstand a rigorous certification audit.

1. Audit the Inventory of Information Processing Facilities

Audit the Asset Register to confirm that all hardware, software, and cloud services requiring operational instructions are identified: result: ensures the audit scope covers 100 per cent of critical information processing facilities.

Verify that the inventory includes specific technical details for production, test, and development environments.
Check that every identified facility has a corresponding set of documented procedures.
Confirm that the inventory is current and reflects the latest architectural changes.

2. Inspect Technical Accuracy and Procedural Relevance

Inspect a sample of procedures against the live system configurations to verify technical accuracy: result: ensures that staff are following instructions that actually work in the current environment.

Compare documented startup and shutdown sequences against actual system behavior.
Verify that technical commands listed in the procedures are valid and safe for execution.
Check for “Shadow IT” processes that are being performed without formal documentation.

3. Audit Version Control and Governance Logs

Audit the document management system to ensure that only the latest, approved version of an operating procedure is accessible: result: prevents operational failures caused by the use of obsolete or unverified instructions.

Check for unique document identifiers and incremental version numbers.
Verify that the history of changes is documented, including who authorised the update.
Confirm that superseded documents are clearly marked as archived or are removed from staff access.

4. Verify IAM Roles and Access Permissions for Procedures

Verify that access to sensitive technical procedures is restricted via Identity and Access Management (IAM) roles: result: enforces the principle of least privilege and protects sensitive operational secrets.

Inspect permissions for the procedure repository to ensure read/write access is limited to authorised staff.
Confirm that Multi-Factor Authentication (MFA) is required to access the centralised document store.
Review access logs for any anomalous or unauthorised attempts to download operational runbooks.

5. Audit Backup and Verification Logs

Audit the logs for backup execution and verification as defined in the documented procedures: result: provides evidence that data availability requirements are being met consistently.

Review a sample of backup logs to ensure successful completion within defined timeframes.
Check for records of restoration testing to prove that backup data is usable.
Verify that the backup procedure includes instructions for the secure handling of physical or cloud-based media.

6. Inspect Emergency Operating Procedures and Runbooks

Inspect the availability and clarity of high-priority instructions for system failures or security incidents: result: ensures the organisation is technically prepared to maintain availability during an outage.

Verify that emergency procedures are accessible even if the primary network is unavailable.
Check that runbooks include updated contact lists for third-party support and internal escalations.
Confirm that instructions for failing over to redundant systems are clearly documented and tested.

7. Audit Alignment with Statutory and Legal Mandates

Audit procedures to ensure technical data handling aligns with the organisational Legal Register: result: confirms that information processing meets requirements for GDPR, DORA, or other relevant legislation.

Check that record retention periods specified in procedures match legal requirements.
Verify that procedures for information disposal include secure destruction methods.
Review audit trail requirements within the procedures to ensure forensic readiness.

8. Verify the Regular Review and Approval Cycle

Verify that operating procedures are reviewed by technical leads at planned intervals: result: maintains the integrity of the ISMS by ensuring documentation evolves with the infrastructure.

Check metadata to confirm that procedures have been reviewed within the last twelve months.
Inspect the credentials of the individuals performing the technical reviews to ensure competency.
Verify that management has signed off on any significant changes to operational logic.

9. Audit Training Records and Staff Competency

Audit the training logs to confirm that staff have been briefed on the procedures they are required to execute: result: reduces the risk of human error causing a security breach or system downtime.

Interview a sample of operational staff to verify their understanding of documented instructions.
Check for training certificates or records of practical walkthroughs for new systems.
Verify that training is updated and delivered immediately following a major procedural change.

10. Validate the Link Between Change Management and Documentation

Validate that technical changes to systems trigger an automatic update to the relevant operating procedures: result: ensures that documentation remains synchronised with the live production environment.

Review the Change Management Log for recent infrastructure deployments.
Cross-reference change requests with corresponding updates in the procedure repository.
Audit the closure of change tickets to ensure “Documentation Updated” is a mandatory requirement.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.

What an ISO 27001 Auditor Will Look For

Audit Tip: Auditors don’t just want to see the document; they will ask your staff to find it. If your staff cannot locate the procedure in 2 minutes, you may receive a non-conformity.

Audit Readiness Checklist

[ ] Are procedures documented for key operational activities?
[ ] Do they include sufficient detail for consistent execution?
[ ] Is there evidence of management authorization?
[ ] Can staff demonstrate where to find them?
[ ] Is there a documented review schedule?

Top 3 Common Mistakes to Avoid

Written and Forgotten: Documents created for the audit and never updated.
Lack of Detail: High-level summaries instead of actionable steps.
Inaccessible: Buried in hidden folders where staff cannot find them.

The Toolkit vs. SaaS Reality Check: Why Ownership Matters

Feature	High Table ISO 27001 Toolkit	Online SaaS Platforms
Ownership	You own your documents forever (Word/Excel).	You rent access; stop paying, lose everything.
Cost	One-off fee.	Recurring monthly/annual subscriptions.
Simplicity	Zero learning curve (Standard Office files).	Requires learning complex proprietary software.

Information Security Standards that need ISO 27001 Annex A 5.37

The main standard that requires these procedures is, of course, ISO 27001. However, having good documentation is also a best practice for other security frameworks like NIST and SOC 2.

Fast Track ISO 27001 Annex A 5.37 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.37 (Documented operating procedures), the requirement is to create, maintain, and follow detailed written instructions for all information processing facilities. This control transforms “tribal knowledge” into a durable corporate asset, ensuring that critical security tasks, like user off boarding or backups, are performed consistently regardless of who is doing the work.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
SOP Ownership	Rents access to your operational “recipes”; if you cancel, your documented procedures and approval history vanish.	Permanent Assets: Fully editable Word/Excel SOP templates that you own and host on your own infrastructure.	A localized “User Offboarding SOP” defining specific account deletion steps for your internal cloud environment.
Operational Utility	Mandates rigid “procedure builders” that can be difficult for staff to access during system outages or 2:00 AM crashes.	Governance-First: Provides a standardized framework for documenting tasks your team already performs daily.	An “Essential SOP Checklist” proving that critical tasks like backups and patch management are formalized.
Cost Efficiency	Charges a “Document Count Tax” that increases costs as you document more critical security and IT tasks.	One-Off Fee: A single payment covers your operational governance for 5 procedures or 500.	Allocating budget to automation scripts or staff training rather than monthly “dashboard” subscription fees.
Strategy Freedom	Forces specific reporting formats that may not align with cloud-native architectures or automated DevOps pipelines.	100% Agnostic: Templates adapt to any workflow—manual, scripted, or fully automated—without technical limits.	The ability to evolve your IT operations and system architecture without reconfiguring a rigid SaaS compliance module.

Summary: For Annex A 5.37, the auditor wants to see that you have documented “recipes” for critical tasks and proof that your team can find and follow them. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

The Impact of Artificial Intelligence (AI) on Operating Procedures

As a Lead Auditor, one of the biggest operational shifts I currently see is the integration of Artificial Intelligence into daily business workflows. If your organisation is developing or deploying AI models, your standard operating procedures must evolve immediately to capture these new, highly complex processes.

Annex A 5.37 requires that all critical information processing activities are documented. When dealing with AI, relying on the “tribal knowledge” of your data scientists is a critical risk and a guaranteed audit failure.

AI-Specific Standard Operating Procedures

To satisfy an auditor that your AI initiatives comply with Annex A 5.37, you must document the following technical procedures:

Training Data Sanitisation: A documented step-by-step process for scrubbing Personally Identifiable Information (PII) from datasets before they are fed into Large Language Models (LLMs).
Model Weight Backups: Specific instructions on how, where, and when to backup trained AI model weights and parameters, ensuring intellectual property is not lost during a system failure.
Prompt Security Reviews: An operational procedure for manually reviewing AI outputs and logs to detect prompt injection attacks or unauthorised data leakage.
AI Decommissioning: A formalised process for retiring legacy machine learning models and securely destroying the associated training environments.

How to Measure Success: KPIs for Annex A 5.37

You cannot prove that your procedures are effective without metrics. During your Stage 2 certification audit, I will ask your leadership team how they know their documentation is actually working. Establishing Key Performance Indicators (KPIs) provides the exact evidence required to show your ISMS is alive and functioning.

Key Performance Indicator (KPI)	Target Metric	Why Auditors Look For It
SOP Review Schedule Adherence	100% of critical procedures reviewed annually.	Proves that documentation is treated as a living asset and accurately reflects the current technical environment.
Incident Rate Due to Human Error	Less than 5% of total security incidents.	Demonstrates that clear, documented instructions are successfully guiding staff and preventing mistakes.
Procedure Access Rate	Monitored via document repository logs.	Shows that staff are actually opening and reading the procedures during operations, rather than ignoring them.
New Hire Onboarding Speed	Reduced time to operational competency.	Confirms that your SOPs are clear and comprehensive enough to be used as effective training materials.

RACI Matrix for Documented Operating Procedures

Clear accountability is vital for maintaining documentation. A RACI matrix (Responsible, Accountable, Consulted, Informed) demonstrates to an auditor that the creation and upkeep of operating procedures is formally embedded in your organisational structure.

Task / Activity	Responsible	Accountable	Consulted	Informed
Drafting Technical Procedures	System Administrators / Engineers	IT Director	Security Team	Helpdesk Staff
Reviewing and Approving SOPs	Department Managers	Chief Information Security Officer (CISO)	Legal / Compliance	All Operational Staff
Executing Backup Procedures	IT Operations Team	IT Director	Infrastructure Lead	Data Owners
Archiving Obsolete Documents	Document Controller	Compliance Manager	System Owners	IT Operations Team

Real-World Case Study: An Annex A 5.37 Audit Failure

To help you pass your audit the first time, let me share a scenario where a company failed this exact control due to an over-reliance on tribal knowledge.

The Scenario: I was auditing a fast-growing software development agency. When evaluating Annex A 5.37, I asked to see the documented procedure for granting new developers access to the cloud production environment. The IT Manager confidently told me that the process was highly secure and solely handled by their Senior Cloud Architect, who had memorised the exact configuration steps required.

The Problem: The Senior Cloud Architect was off sick on the day of the audit. I asked a junior systems administrator to walk me through the process instead. Without a documented procedure to follow, the junior administrator logged into the cloud console and demonstrated a workflow that completely bypassed the mandatory Multi-Factor Authentication (MFA) step required by the company’s own security policy.

The Result: A Major Non-Conformity.

The Reason: The organisation had excellent theoretical security, but zero operational resilience. Because the procedure was stored entirely in one person’s head, the process broke down the moment that person was unavailable. To resolve this, the agency had to halt deployments, formally write down the step-by-step account creation process, test it with junior staff, and submit the approved document as evidence of remediation.

How Much Does ISO 27001 Annex A 5.37 Cost to Implement?

Organisations often worry about the financial impact of documenting every operational process. The true cost depends entirely on your chosen strategy and internal resources.

Time Investment: For a small to medium enterprise, writing procedures from scratch is a massive time sink. A senior engineer can easily spend 10 to 15 hours per week drafting, reviewing, and formatting technical runbooks instead of doing their actual job.
Financial Cost (Consultant Route): Hiring an external technical writer or ISO consultant to interview your staff and write the procedures for you will typically cost between £4,000 and £8,000 depending on the complexity of your systems.
Financial Cost (Toolkit Route): Utilising a pre-built ISO 27001 Toolkit is the most cost-effective method. For a single, one-off purchase, you receive fully formatted, auditor-approved Word templates. Your engineers simply fill in the blanks specific to your environment. This reduces the time investment from weeks to mere hours, saving thousands of pounds in lost productivity.

Final Thoughts from the Auditor

ISO 27001 Annex A 5.37 is not about creating unnecessary paperwork; it is about building operational resilience. If your business grinds to a halt or becomes insecure just because a key staff member goes on holiday, you do not have a management system, you have a dependency problem.

Keep your procedures simple, accessible, and accurate. Do not write a 50-page manual when a one-page checklist will do. Ensure your staff know where the documents live, and ensure your management team reviews them annually. If you treat your operating procedures as living tools rather than audit burdens, you will sail through this section of your certification.

The Anatomy of a Perfect ISO 27001 SOP

A common question I receive from clients is, “What exactly does an auditor want to see inside the document?” A compliant Standard Operating Procedure (SOP) under Annex A 5.37 is not just a block of text. It must contain specific governance metadata alongside the technical instructions.

If you are writing your own procedures, ensure every document contains the following standard sections:

Document Section	Description and Purpose	Auditor Expectation
Document Control Block	A table at the top containing the Version Number, Document Owner, Creation Date, and Next Review Date.	Proves the document is actively managed and subject to regular review cycles.
Purpose and Scope	A brief summary of what the procedure achieves and which systems or departments it applies to.	Demonstrates clear boundaries and prevents operational scope creep.
Prerequisites	Any specific software, access rights, or approvals required before the task can begin.	Ensures staff do not start a critical process without the correct tools or authorisation.
Step-by-Step Instructions	The actual “recipe.” Numbered, sequential actions required to complete the task securely.	Instructions must be clear enough that a competent colleague could follow them without guessing.
Exception Handling	Instructions on what to do if the process fails or an error message appears.	Proves you have planned for operational failures, preventing staff from making risky workarounds.
Version History Log	A running list at the bottom of the document detailing what changed, when it changed, and who approved it.	Provides a mandatory audit trail of technical changes over time.

Cross-Departmental Responsibilities for Control 5.37

It is a common misconception that Annex A 5.37 only applies to the IT department. Information processing happens across your entire business. To pass your audit, you must ensure that procedures are documented across all relevant departments.

Human Resources (HR): Must maintain documented procedures for background screening, onboarding, and the secure handling of employee payroll data.
Facilities Management: Must document procedures for issuing physical access cards, testing fire alarms, and managing visitor logs (tying into Annex A 7).
IT and Operations: Must document server builds, network configurations, database backups, and incident response runbooks.
Software Development: Must document secure coding guidelines, code review processes, and deployment pipeline steps.

ISO 27001 Annex A 5.37 Glossary of Terms

Information security is filled with specific terminology. When dealing with operational procedures, you and your management team must understand the following key terms.

Term	ISO 27001 Definition / Context
Standard Operating Procedure (SOP)	A set of step-by-step instructions compiled by an organisation to help workers carry out routine operations consistently and securely.
Runbook	A specialised type of technical SOP, typically used by IT teams, detailing the procedures to maintain system operations or respond to specific technical incidents.
Tribal Knowledge	Unwritten information that is known by some employees but not documented. This is a critical risk under ISO 27001.
Version Control	The practice of tracking and managing changes to documents. Essential for proving to an auditor that staff are using the correct, up-to-date instructions.
Information Processing Facility	Any information processing system, service, or infrastructure, including the physical locations housing them.

Executive Summary and Conclusion

Achieving compliance with ISO 27001 Annex A 5.37 is one of the most practical and beneficial steps you can take for your business. It is not about writing endless manuals that gather dust; it is about protecting your organisation from single points of failure. If your business relies on one key person to run the backups or provision the servers, you are at risk.

As an ISO 27001 Lead Auditor, I can assure you that implementing this control correctly will not only guarantee a successful audit, but it will massively reduce your onboarding times, lower your operational error rates, and improve your overall system stability.

Do not waste weeks trying to invent these documents from scratch. Utilise the High Table ISO 27001 Toolkit to instantly deploy the exact SOP templates, document control policies, and operational frameworks that auditors expect to see. Formalise your operations, secure your knowledge, and pass your audit first time.

Standard / Framework / Law	Domain / Region	Mapping to ISO 27001 Annex A 5.37 (Documented Operating Procedures)
NIST Cybersecurity Framework (CSF 2.0)	Cybersecurity (Global/USA)	Maps directly to the “Govern” (GV.PO) and “Protect” functions. NIST requires that organizational cybersecurity policies, processes, and procedures are established, communicated, and maintained. Annex A 5.37 provides the operational “runbooks” required to prove these processes are documented and repeatable.
NIS2 Directive (EU)	Critical Infrastructure (EU)	Article 21 mandates risk management measures, including incident handling, business continuity, and system security. Documented operating procedures (A 5.37) provide the mandatory evidentiary baseline that security tasks and IT operations are standardized and not reliant on ad-hoc or tribal knowledge.
Digital Operational Resilience Act (DORA)	Financial Sector (EU)	Article 9 (Protection and Prevention) requires financial entities to implement ICT security policies, procedures, and protocols. Annex A 5.37 fulfills the requirement to document daily ICT operational tasks, backup routines, and change management workflows, proving operational resilience.
SOC 2 (Trust Services Criteria)	Information Security / Auditing (Global)	Aligns with Common Criteria (CC) 5.1, 5.2, and 3.2. SOC 2 heavily audits whether management has defined and documented procedures for system operations and security event handling. A 5.37 directly satisfies the requirement to have formally documented and approved operational “recipes.”
EU AI Act	Artificial Intelligence (EU)	Article 17 requires high-risk AI system providers to put a Quality Management System (QMS) in place, which explicitly demands documented policies, procedures, and instructions. Annex A 5.37 translates to documenting AI model training, data sanitization, and prompt security review procedures.
ISO/IEC 42001 (AI Management System)	Artificial Intelligence (Global)	Requires documented procedures for managing the lifecycle of AI systems, including data handling, bias monitoring, and model updates. A 5.37 provides the framework to standardize and record these AI-specific operational tasks.
General Data Protection Regulation (GDPR)	Data Privacy (EU)	Article 24 and Article 32 require controllers to implement “technical and organisational measures” to ensure data security. Annex A 5.37 proves these measures exist by formally documenting how personal data is handled, stored, backed up, and deleted during daily IT operations.
UK Data (Use and Access) Act 2025	Data Privacy (UK)	While reducing administrative burdens compared to legacy GDPR, it maintains high security thresholds for data processing. A 5.37 ensures that the streamlined operational security measures (like access provisioning and data deletion) remain documented, legally defensible, and consistently applied.
Cyber Security and Resilience Bill (UK)	Critical Infrastructure / Supply Chain (UK)	As the UK’s counterpart to NIS2, this bill expands requirements for managed service providers and critical sectors. It requires proof of operational resilience; A 5.37 provides the documented procedures for incident logging, system maintenance, and supply chain security operations.
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)	Critical Infrastructure (USA)	Mandates 72-hour cyber incident reporting and 24-hour ransom payment reporting. Complying with these strict timelines requires pre-documented incident response, logging, and operational escalation procedures as mandated by Annex A 5.37.
EU Product Liability Directive (PLD) Update	Consumer Protection / Software (EU)	Extends strict liability to software providers for cybersecurity flaws. To defend against liability claims, software creators must prove they followed standard security practices. A 5.37 ensures that secure coding, patch management, and vulnerability remediation processes are formally documented and auditable.
European Cybersecurity Certification Framework (ECCF)	Cybersecurity Certification (EU)	Requires harmonized security labels for ICT products/services. Achieving higher assurance levels under ECCF necessitates strict, documented proof of how secure operational environments are managed. A 5.37 provides the foundational operational documentation required by ECCF auditors.
Health Insurance Portability and Accountability Act (HIPAA)	Healthcare / Data Privacy (USA)	The HIPAA Security Rule (45 CFR § 164.316) explicitly states that covered entities must implement reasonable and appropriate policies and procedures. Annex A 5.37 aligns flawlessly by providing documented instructions for handling ePHI, system backups, and emergency IT operations.
California Consumer Privacy Act (CCPA) / CPRA	Data Privacy (USA – California)	Requires businesses to implement and maintain “reasonable security procedures and practices.” Annex A 5.37 provides the tangible documentation (e.g., standard operating procedures for data encryption, access control, and data subject request fulfillment) that proves these practices are in place.

ISO 27001 Annex A 5.37 FAQ

What is ISO 27001 Annex A 5.37?

ISO 27001 Annex A 5.37 (updated from A.12.1.1 in the 2013 version) is an operational security control that mandates organisations to document and maintain operating procedures for all information processing activities.

It ensures that security tasks are performed consistently across the organisation.
It reduces the risk of human error and system failures.
It provides a technical baseline for auditing and compliance monitoring.
It covers everything from server backups and system updates to incident response steps.

Are documented operating procedures mandatory for ISO 27001?

Yes, documented operating procedures are mandatory under the ISO 27001:2022 standard for all critical information processing facilities and activities.

Auditors will look for these as evidence that the ISMS is operational.
Unwritten “tribal knowledge” is considered a risk and can result in non-conformity.
Documenting procedures is essential for meeting the requirements of Annex A 5.37.

What should be included in a documented operating procedure?

An ISO 27001-compliant operating procedure must include step-by-step technical instructions, defined roles and responsibilities, and clear escalation paths.

Hardware and software configuration steps.
Information processing and handling requirements.
Backup, recovery, and business continuity instructions.
Scheduling requirements and dependencies on other systems.
Error handling and incident management procedures.

What is the difference between a security policy and an operating procedure?

An Information Security Policy defines the high-level management direction and goals (“the what”), whereas an operating procedure provides specific technical instructions (“the how”).

Policy: “We must take daily backups of all financial data.”
Procedure: “Log into the backup server, select the ‘Finance’ job, and click run at 02:00.”
Policies are for governance; procedures are for daily execution.

How often should documented operating procedures be reviewed?

ISO 27001 operating procedures should be reviewed at least annually or whenever significant changes are made to the technical environment.

Reviews ensure instructions remain accurate as systems and software are updated.
Changes in personnel or internal roles may require updates to responsibility sections.
Testing procedures (like backup restoration) often triggers mandatory updates.

Where should operating procedures be stored for compliance?

Operating procedures must be stored in a centralised, secure location that is accessible to all authorised personnel who need them to perform their duties.

Common storage solutions include a secure Intranet, DMS (Document Management System), or a Version Control System (like Git).
Procedures should be subject to document control (Annex A 5.37 requires versioning).
Access must be restricted to prevent unauthorised modification or disclosure.

Relevant ISO 27001:2022 controls

Matrix of ISO 27001 Controls and Attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Availability	Protect	Asset management	Governance and ecosystem
Corrective	Confidentiality	Recover	Physical security	Protection
	Integrity		System and network security	Defence
			Application Security
			Secure configuration
			Identity and access management
			Threat and vulnerability management
			Continuity
			Information security event management

Application Security, Asset Management, Availability, Confidentiality, Continuity, Corrective, Defence, Governance and Ecosystem, Identity and Access Management, Information Security Event Management, Integrity, Physical Security, Preventive, Protect, Protection, Recover, Secure Configuration, System and Network Security, Threat and Vulnerability Management

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Documented Operating Procedures | Annex A 5.37 | The Lead Auditor’s Implementation and Audit Guide

Table of contents