You need to document your processes and procedures to meet the requirements of ISO 27001 Annex A 5.37. A documented operating procedure in ISO 27001 is simply a written guide that tells you exactly how to do a task securely. Think of it as a set of instructions for a particular process. This makes sure that everyone performs the task the same way every time, which helps keep your data safe. By having this in place, you show that your organisation takes information security seriously.
Table of contents
What is ISO 27001 Annex A 5.37?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Documented Operating Procedures”.
What is the ISO 27001 Annex A 5.37 control objective?
The formal definition and control objective in the standard is: “Operating procedures for information processing facilities should be documented and made available to personnel who need them. “
What is the purpose of ISO 27001 Annex A 5.37?
The purpose of ISO 27001 Annex A 5.37 is “to ensure the correct and secure operation of information security processing facilities.“
Is ISO 27001 Annex A 5.37 Mandatory?
ISO 27001 Annex A control 5.37 (Documented Operating Procedures in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.37 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
When to Document Procedures
You should write down a procedure in situations like these:
- When a task is carried out by many people and must be done in a uniform way.
- When an activity is performed infrequently, and the steps might be forgotten when it is next required.
- When you are doing something for the first time, and incorrect performance could lead to a risk.
- Before another person takes over responsibility for carrying out the procedure.
How to Write Procedures
Writing these procedures is a task for your team. You should follow these guidelines:
- Keep the language simple: Use ordinary words that anyone can understand.
- State the reason: Explain the importance of this procedure.
- List the steps: Divide the task into distinct, numbered actions.
- Set out who is responsible: Make it clear which person does each part.
- Get official agreement: Have the appropriate people officially approve the procedure.
What to Document
You need to record every process you use for information security. The following items represent the very least you must document:
- Secure installation and setup.
- How information is handled, covering both manual and automated methods.
- Backup plans and recovery capability.
- Scheduling needs.
- How different systems rely on each other.
- Steps for dealing with mistakes.
- Contact details for support and problem escalation.
- How storage media is managed.
- Steps for restarting and restoring systems.
- The management of audit records, system logs, video records, and activity trails.
- Capacity planning.
- Maintenance tasks.
When to Update Procedures
You should review and update your procedures whenever necessary, but you must do so at least once every year. While the standard does not strictly require an annual review, not doing one will certainly cause problems for you.
When you make a change, you need to officially approve that change and keep some proof that the approval happened.
