If you have spent any time with the ISO 27001 standard, you know that documentation is the backbone of a successful Information Security Management System (ISMS). When the standard moved from the 2013 version to the 2022 update, many controls were shifted, merged, or expanded. One of the most essential “day-to-day” controls, Documented Operating Procedures, found a new home and a broader purpose under Annex A 5.37.
Table of contents
The Shift from 12.1.1 to 5.37
In the ISO 27001:2013 version, this requirement lived under Control 12.1.1 within the “Operations Security” domain. At that time, it was very much viewed through a technical lens. The focus was primarily on IT operations: how to start up a computer, how to handle backups, and how to manage media. It was a technical instruction manual for the IT department.
In the 2022 revision, this has been reclassified as Annex A 5.37 and moved into the Organisational Controls theme. This change is vital because it acknowledges that operating procedures aren’t just for IT specialists anymore. According to Hightable.io, moving this control to the organisational category signals that documenting “how we do things” is a fundamental business requirement that spans across departments, ensuring consistency and reducing human error everywhere information is processed.
What Exactly is Annex A 5.37?
The core objective of Annex A 5.37 is to ensure that all operational activities related to information security are carried out correctly and securely. It requires that procedures for information processing facilities be documented and made available to the personnel who need them. Think of it as a “recipe book” for your security operations, if everyone follows the same recipe, the results remain consistent and safe.
One of the most significant changes in the 2022 version is the expanded scope. While the 2013 version felt restricted to technical tasks, the 2022 version covers a much broader set of circumstances. As noted by Hightable.io, you should consider documenting a procedure whenever:
- An activity is performed by multiple people and needs to be done the same way every time.
- A task is performed rarely (like a disaster recovery test) and might be forgotten without instructions.
- A new activity is introduced that carries a high risk if performed incorrectly.
- Responsibilities for a task are being handed over to new staff.
The Anatomy of a Modern Operating Procedure
The implementation guidance for Annex A 5.37 in the 2022 version is much more detailed regarding what these documents should actually contain. It isn’t just about the steps; it’s about the context. A robust procedure under the new standard should include:
- Responsible Individuals: Clearly identifying who is authorized to perform the task.
- System Dependencies: Links between different systems and scheduling requirements.
- Error Handling: What to do when things go wrong and who the support/escalation contacts are.
- Restart and Recovery: Specific instructions for bringing systems back online after a disruption.
- Media Handling: How storage media (physical or digital) should be managed during the process.
Why the Move to “Organizational” Matters
By categorizing Documented Operating Procedures as an organizational control, ISO 27001:2022 helps break down the silos between IT and the rest of the business. It encourages a culture of “process maturity.” When procedures are written down and accessible, the organization becomes less reliant on the “heroics” of a few key individuals who hold all the knowledge in their heads.
The introduction of Attributes in the 2022 version also allows you to tag Control 5.37. It is typically categorized as a Preventive control with the Integrity and Availability security properties. This makes it easier for you to show auditors exactly how your documentation is helping you prevent breaches and keep your services running smoothly.
Transitioning from 2013 to 2022
If you are currently transitioning, you don’t necessarily need to throw away your old 12.1.1 procedures. However, you do need to review them. Ask yourself: “Are these procedures only for the server room, or do they cover our modern ways of working, like cloud management and remote access?”
Hightable.io suggests that a “gap analysis” is your best friend here. Map your existing IT SOPs to the new 5.37 requirements and look for areas where you lack documentation for non-technical but security-critical tasks. This might include how you manage user onboarding/off boarding or how you handle information transfer in your customer service department.
Final Thoughts
Annex A 5.37 is the “unsung hero” of the ISO 27001:2022 update. It takes the old-school idea of an IT manual and turns it into a modern, organisational tool for reliability and security. By documenting your operations, you aren’t just satisfying an auditor, you are building a more resilient, scalable, and professional business.