The basics
ISO 27001 control A.5.37 Documented operating procedures requires companies to write relevant security procedures and make them available to personnel who needs them. This is important in order to standardize how security activities are performed, and minimize risks of disruption due to operational errors.
Documentation
ISO 27001 control A.5.37 Documented operating procedures can be documented:
- For smaller and mid-sized companies, through a Security Procedures for IT Department.
- Larger companies might have separate procedures for performing different types of operations (e.g., information backup, asset disposal, etc.).
This control must be documented.
Implementation
In order to comply with control A.5.37 Documented operating procedures you might implement the following:
- Technology — Companies of all sizes will probably be able to document operating procedures by using the same text processing tools used to develop their security policies and procedures (e.g., MS Word, Google Docs, etc.), and the same document management system for controlling those documents (e.g., SharePoint).
- Organization/processes — you should define which processes need to be documented, who is in charge of documenting them, and setting the rules for writing such documents. You can document those processes through Security Procedures for IT Department.
- People — make employees aware of why documenting operating procedures is needed, and train them on how to document the procedures.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.37 Documented operating procedures: if relevant security procedures are written and available to those who need them.
