ISO 27001 Annex A 5.37 for AI Companies

Introduction: Beyond the Checklist for AI Innovation

For a fast-paced AI company, achieving ISO 27001 compliance can often feel like a bureaucratic hurdle – a checklist to be completed rather than a genuine asset. However, hidden within the standard is a control that, when properly implemented, becomes a critical tool for scaling securely and efficiently: ISO 27001 Annex A 5.37 Documented operating procedures

For organisations pioneering artificial intelligence, this control is not merely about standardising IT operations. It is a fundamental mechanism for protecting priceless intellectual property, ensuring the consistency and reliability of algorithmic processes, and building the bedrock of trust with clients and partners. By embedding clear, repeatable procedures into your operations, you transform security from an afterthought into a strategic enabler of innovation.

From an auditor’s perspective, to apply this control effectively and unlock its strategic value, you must first understand its core purpose and requirements.

Introduction: Beyond the Checklist for AI Innovation
Understanding the Core Requirement: What is Annex A 5.37?
- When to Document a Procedure
The AI Challenge: Why 5.37 is Uniquely Critical for Your Business
Your Blueprint for Compliance: Actionable Steps
The Solution: Streamline Compliance with the High Table ISO 27001 Toolkit
Final Thoughts

Understanding the Core Requirement: What is Annex A 5.37?

This section demystifies the control’s requirements, providing a solid foundation before we explore its specific and critical application to the world of AI. At its heart, Annex A 5.37 is about ensuring that the operational activities underpinning your information security are performed correctly, securely, and, most importantly, consistently across the entire organisation. The goal is to create a clear, shared understanding of how critical tasks should be executed. It is about process maturity.

The ISO 27001 standard requires that “Operating procedures for information processing facilities should be documented and made available to personnel who need them.” While this sounds simple, the key is knowing which activities require this level of formal documentation.

When to Document a Procedure

Documentation is particularly important when specific conditions increase the risk of errors, inconsistencies, or security lapses. You should prioritise creating documented procedures in the following situations:

When an activity is performed by multiple people and needs to be executed in a uniform way to guarantee consistent and secure outcomes.
When a task is performed infrequently, which increases the risk that crucial steps might be forgotten or performed incorrectly.
When a new activity introduces risks if not executed correctly by staff who are not yet familiar with the process.
When responsibility for a task is transferred to a new person or team, ensuring a smooth and secure handover of duties without loss of knowledge.

Understanding these triggers is the first step, but for an AI company, the stakes are uniquely high. The next section explores the specific challenges that make this control indispensable.

The AI Challenge: Why 5.37 is Uniquely Critical for Your Business

While the principles of control 5.37 are universal, the operational realities of an AI company create unique and high-stakes risks that demand rigorous procedural control. The dynamic and data-intensive nature of AI development means that a lack of formal process can quickly lead to security vulnerabilities, data integrity issues, or the loss of competitive advantage. This section explores these specific challenges across the AI lifecycle.

Securing the Model Training Lifecycle

The model training process is the heart of your innovation, but it is also fraught with risk. You are handling vast, and often sensitive, training datasets that must be protected. Documented procedures are essential to govern how this data is ingested, labelled, stored, and accessed, ensuring compliance and confidentiality. Without formal procedures, you risk inconsistent training runs that can lead to data poisoning, catastrophic forgetting, or the introduction of difficult-to-trace biases that undermine model fairness and reliability, while also exposing the core intellectual property embedded within the model weights and architectures.

Standardising Data Processing and Inference

Once a model is trained, its journey into production introduces a new set of operational challenges. Data pipelines that feed live models must be robust and consistent. A lack of documented procedures can lead to inconsistent data pre-processing, causing model or concept drift that leads to severe performance degradation. In a live inference environment, undocumented deployment and configuration processes can create significant security vulnerabilities in inference APIs, potentially leading to model inversion attacks or data exfiltration.

Managing the AI Supply Chain

Modern AI development rarely happens in a vacuum. Your organisation likely relies on a complex supply chain of third-party datasets, pre-trained models, and external APIs. Each of these components introduces potential security risks. Documented operating procedures are essential for managing this AI supply chain, providing a clear framework for vetting, integrating, and monitoring external assets. This prevents catastrophic risks such as integrating pre-trained models with embedded trojans or using third-party datasets that violate privacy regulations (e.g., GDPR) or contain poisoned data.

Understanding these risks is the first step. The next is to build a practical and auditable plan for compliance.

Get the Auditor Approved ISO 27001 Document Templates

Your Blueprint for Compliance: Actionable Steps

This section serves as your practical, actionable guide to implementation. To create operating procedures that are both effective and audit-ready, you must include a set of key components. The following elements provide a blueprint for what your documented operating procedures should contain, tailored specifically to the context of an AI-driven organisation.

Responsible Individuals: Clearly identify who is accountable for each step of the process. This includes everyone from the data scientists handling sensitive training data and running experiments to the machine learning engineers responsible for deploying models into production environments.
Secure Installation and Configuration: Detail the approved steps for setting up development environments, data processing tools, and inference servers. This ensures that all systems meet your information security standards from the very beginning, minimising vulnerabilities.
Information Processing and Handling: Document the required manual and automated steps for data acquisition, labelling, cleaning, and transformation. This is critical for ensuring the consistency and integrity of the data that fuels your models.
Backup and Resilience: Specify procedures for backing up not just your data, but also your model weights, container images, configurations, and crucial training logs. Crucially, you must also detail and periodically test the recovery process to ensure business continuity (see Control 8.13).
Error Handling: Define clear instructions for managing exceptions and failures. This includes what to do when a data pipeline fails, a model begins to produce anomalous or biased results, or an unexpected input is received by an inference API.
Support and Escalation Contacts: Maintain a readily accessible list of internal and external contacts for technical, operational, or security issues. This ensures that when a problem arises, a swift and effective response is possible.
Audit Trails and Logs: Specify the requirements for logging key events across the AI lifecycle. This includes data access requests, model training runs, deployment changes, and inference requests, providing the necessary audit trails for security monitoring and incident investigation (see Controls 8.15 and 8.16).
Monitoring and Maintenance: Outline the procedures for continuously monitoring model performance, detecting data and concept drift, and assessing the security of the underlying infrastructure. This must also cover capacity management and verifying performance potential to ensure your AI systems remain effective, reliable, and secure over time.
Scheduling and Dependencies: Document critical dependencies between systems and outline scheduling requirements for data processing pipelines and model retraining jobs. This is essential to prevent cascading failures and ensure the timely availability of models and data.

Knowing what to include in your procedures is half the battle. The other half is implementing this framework efficiently without slowing down your teams.

The Solution: Streamline Compliance with the High Table ISO 27001 Toolkit

Implementing a comprehensive set of operating procedures from scratch is a formidable task that can consume hundreds of hours of valuable time. This is where the High Table ISO 27001 Toolkit provides a logical and efficient solution, designed specifically to help innovative companies accelerate compliance without stifling the pace of development.

The toolkit directly addresses the needs of an AI company by providing a complete set of expert-written templates for the policies and procedures required by control 5.37 and the entire ISO 27001 standard. Instead of starting with a blank page, your teams are equipped with a robust framework that can be quickly adapted to your specific workflows, saving an enormous amount of effort and ensuring no critical details are missed.

Using the High Table toolkit provides several distinct advantages for building your operational framework:

Auditor-Verified Foundation: The templates are designed by an ISO 27001 Lead Auditor with decades of experience. This ensures that the documentation is structured to meet the specific evidence standards required by certification bodies, smoothing your path to a successful audit.
Full Ownership and Customisation: Because it is a toolkit, not a rigid platform, you retain complete control. You can adapt the documents precisely to your unique AI workflows, from data handling protocols and secure development practices to model deployment and monitoring.
Pragmatic and Actionable: This is not a theoretical guide. The toolkit is a collection of practical, pre-made documents that provide a direct shortcut to building a robust and compliant operational framework, allowing your team to focus on innovation rather than paperwork.

Ultimately, the toolkit offers the smartest, most efficient path to transforming a complex compliance requirement into a genuine business asset that supports secure and sustainable growth.

Own Your ISMS, Don’t Rent It

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

Final Thoughts

This guide has unpacked ISO 27001 Annex A 5.37, moving beyond the jargon to reveal its strategic importance for AI companies. We have explored its core purpose, examined its unique criticality in the context of AI innovation, and provided a practical blueprint for implementation.

It should now be clear that for an AI company, documented operating procedures are not an administrative burden. They are a strategic necessity for ensuring consistency in a complex environment, managing high-stakes risks to data and intellectual property, and demonstrating the trustworthiness that clients and investors demand.

Implementing control 5.37 effectively is a direct investment in protecting your innovation and enabling your growth. By leveraging a resource like the High Table ISO 27001 Toolkit, you can achieve this critical goal with the speed and efficiency your business deserves.

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Taming Complexity: A Practical Guide to ISO 27001 Annex A 5.37 for AI Companies