A.5.37 ISO 27001

ISO 27001 A.5.37: Documented operating procedures

What This Control Requires

Operating procedures for information processing facilities shall be documented and made available to personnel who need them.

In Plain Language

What happens when your senior sysadmin is on holiday and something breaks? If the answer is "we wait until they get back" then you have a documentation problem. This control is about getting operational procedures out of people's heads and into written, accessible documents.

Documented procedures ensure consistency, reduce errors, make knowledge transfer possible, and give people a reference when things go wrong. They are especially critical for security-sensitive operations like system administration, backup and recovery, change management, and incident response.

The procedures need to be detailed enough for a qualified person to follow correctly and consistently. They should cover routine operations and the non-routine stuff too - error handling, escalation paths, what to do when step three does not work as expected. And they have to stay current. Outdated procedures can be worse than no procedures at all.

How to Implement

Start by identifying all information processing facilities and the operational activities that need documented procedures. Prioritise by criticality and complexity. Common areas include server and infrastructure management, network operations, database administration, backup and recovery, change management, patch management, user account management, security monitoring, log review, and incident response.

Create a standard template so all procedures have a consistent structure: purpose and scope, prerequisites and required access, step-by-step instructions, expected outcomes and verification steps, error handling and troubleshooting, escalation procedures, related references, version control information, and review schedule.

Write for the right audience - qualified personnel in the relevant role. You do not need to explain basic concepts, but the procedures should be specific enough that a competent person unfamiliar with your particular environment could follow them. Add screenshots, diagrams, or command examples wherever they add clarity.

Store everything in a centralised, accessible location - a wiki, knowledge base, or document management system. Make sure critical recovery procedures are available even during outages (keep offline copies). Use version control to track changes.

Assign an owner to each procedure. Review at least annually and whenever related systems or processes change. Test critical procedures periodically to confirm they still work. Remove or archive anything obsolete so people do not follow outdated instructions.

Embed procedures into daily operations. Reference them in work instructions and checklists. Include procedure compliance in operational audits. Where possible, turn procedures into runbooks or automation scripts so they are built into the tooling rather than sitting in a document nobody reads.

Evidence Your Auditor Will Request

Inventory of documented operating procedures for information processing facilities
Sample operating procedures showing appropriate detail and format
Procedure review records showing regular updates and version control
Accessibility evidence showing procedures are available to relevant personnel
Records of procedure testing or validation

Common Mistakes

Operating procedures are not documented or exist only as tribal knowledge
Procedures are outdated and do not reflect current systems or configurations
Procedures are stored in locations not accessible to personnel who need them
No review schedule or process for keeping procedures current
Procedures lack sufficient detail for consistent execution

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC7.1	Partial overlap
SOC 2	CC8.1	Partial overlap
NIS2	Art.21(2)(a)	Partial overlap

Frequently Asked Questions

Do all operations need documented procedures?

No - focus on security-critical and complex operations first. Anything that affects system availability, data integrity, or confidentiality should be at the top of the list. Routine tasks performed daily by experienced staff might only need lightweight documentation. Complex, infrequent, or high-risk operations need comprehensive step-by-step procedures. Take a risk-based approach and document what matters most first.

How do we keep procedures up to date?

Give every procedure an owner - that is the single most effective step. Tie procedure updates into your change management process so that when a system changes, the related procedures get reviewed automatically. Schedule annual reviews as a backstop. Encourage the ops team to flag outdated procedures when they hit them in practice. A wiki or collaborative platform lowers the friction for updates. And track review status in a register so nothing silently goes stale.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment