ISO 27001 Control 5.37 Documented Operating Procedures

Return to Organisational Controls Overview

Get the ISO 27002 Official Guidance on Controls

Overview

Documented operating procedures are essential for ensuring information processing facilities’ secure and consistent operation. These procedures provide a clear framework for handling tasks, safeguarding organisational assets, and mitigating risks, all while supporting confidentiality, integrity, and the availability of information.

Purpose

Documented operating procedures’ primary purpose is to ensure that operational activities are performed correctly and securely. This control supports consistent practices across the organisation and reduces the likelihood of errors or mismanagement, particularly in critical or complex tasks.

Guidance

Preparing Documented Procedures

Operating procedures should be prepared for operational activities associated with information security. Documentation is particularly important when:

The activity needs to be performed uniformly by multiple individuals.
The activity is performed infrequently, increasing the likelihood of forgotten procedural steps.
The activity is new and presents risks if not executed correctly.
Responsibility for the activity is being handed over to new personnel.

Key Elements of Operating Procedures

Documented operating procedures should include the following:

Responsible Individuals: Identify the personnel responsible for each activity or task.
Secure Installation and Configuration: Provide detailed instructions for the secure installation and configuration of systems.
Processing and Handling of Information: Include automated and manual process guidelines.
Backup and Resilience: Specify backup schedules, processes, and recovery plans (refer to 8.13).
Scheduling Requirements: Outline dependencies with other systems and timing requirements.
Error Handling: Define instructions for managing errors or exceptional conditions, such as restrictions on utility program use (see 8.18).
Support and Escalation Contacts: Include internal and external support contacts for operational or technical difficulties.
Storage Media Handling: Provide instructions for handling storage media (refer to 7.10 and 7.14).
System Restart and Recovery: Detailed procedures for restarting and recovering systems after failure.
Audit Trails and Logs: Specify requirements for managing audit trails, system logs (refer to 8.15 and 8.17), and video monitoring systems (refer to 7.4).
Monitoring Procedures: Include monitoring guidelines for capacity, performance, and security (refer to 8.6 and 8.16).
Maintenance Instructions: Provide detailed steps to ensure systems remain secure and operational.

Reviewing and Updating Procedures

Documented procedures should be regularly reviewed and updated as necessary.

Changes must be authorised and communicated to relevant personnel.

Systems should be managed consistently using standardised procedures, tools, and utilities where feasible.

Importance of Documentation

Properly documented procedures enhance operational efficiency, reduce errors, and provide clear guidance during routine and exceptional situations. They also ensure:

Continuity of operations despite personnel changes.
Faster recovery in case of incidents.
Consistency in system and information management.

Conclusion

Documented operating procedures are a cornerstone of an effective information security management framework.

By providing clear, comprehensive, and regularly updated guidance, organisations can ensure that information processing facilities operate securely and efficiently, supporting their overall security objectives and reducing risks to their assets.

What is the purpose of Control 5.37 in ISO 27001:2022?

Control 5.37 emphasises the need for documented operating procedures to ensure information processing facilities’ secure and consistent operation.

Organisations can reduce errors, maintain service continuity, and safeguard information assets by having clear, written procedures.

This control supports the principles of confidentiality, integrity, and availability of information.

When should an organization create documented operating procedures?

According to ISO/IEC 27002:2022, documented procedures should be prepared when:

– Multiple individuals perform an activity and requires uniform execution.
– An activity is performed infrequently, increasing the risk of forgetting steps.
– An activity is new and poses risks if not executed correctly.
– Responsibility for the activity is being transferred to new personnel.

What key elements should be included in documented operating procedures?

Documented procedures should encompass:
– Identification of responsible individuals.
– Instructions for secure installation and configuration of systems.
– Guidelines for processing and handling information, both automated and manual.
– Backup schedules and recovery plans.
– Scheduling requirements and system dependencies.
– Error handling and exceptional condition management.
– Support and escalation contact information.
– Instructions for handling storage media.
– System restart and recovery procedures.
– Management of audit trails, system logs, and monitoring systems.
– Monitoring procedures for capacity, performance, and security.
– Maintenance instructions to ensure systems remain secure and operational.

How often should documented operating procedures be reviewed and updated?

Documented procedures should be reviewed regularly and updated to reflect system, process, or personnel changes. Any changes must be authorized and communicated to relevant personnel to ensure continued effectiveness and compliance.

Why are documented operating procedures important for information security?

Properly documented procedures enhance operational efficiency, reduce errors, and provide clear guidance during routine and exceptional situations. They ensure continuity of operations despite personnel changes, facilitate faster recovery in case of incidents, and promote consistency in system and information management.

Table of Contents