What are documented operating procedures in ISO 27001?

Bottom Line Up Front: Documented operating procedures are formal instructions for performing security tasks. They ensure different staff members achieve identical security outcomes. You must host these in internal systems like SharePoint or Confluence. This keeps security data within your business infrastructure.

Where should we store operating procedures?

Bottom Line Up Front: Store procedures in your organisational document management system. Confluence and SharePoint are ideal for version control. Avoid external compliance platforms that isolate procedures from daily work. Integrated tools prove that procedures are active and managed.

How often should procedures be reviewed?

Bottom Line Up Front: Review procedures at least annually or when systems change. Significant security incidents should also trigger a review. Use Jira to schedule and record these review tasks. This creates a timestamped audit trail of management oversight.

ISO 27001:2022 Annex A 5.37 Guide

What is ISO 27001 Annex A 5.37 Documented Operating Procedures in ISO 27001?

Documented operating procedures are written instructions for recurring security tasks. You must integrate these into your internal tools like SharePoint or Confluence. This ensures staff follow consistent security methods. Avoid external tools that separate procedures from daily work. These records prove operational control during audits.

Auditor’s Eye: The Shortcut Trap

Automated SaaS platforms often offer template libraries. Users tick a box to claim compliance. This lacks technical reality. Auditors want to see procedures in your native environment. SharePoint versioning proves you maintain your own rules. SaaS platforms decouple security from the team. If your procedures live in a “black box,” your staff will not use them. We look for evidence of use in Jira and SharePoint logs. Real compliance requires procedures that reflect your actual technical setup.

2013 Control Reference	2022 Control Reference	Requirement Summary
A.12.1.1 Documented operating procedures	5.37 Documented operating procedures	The requirement remains essentially identical. Procedures must be documented and available to those who need them.

How to Implement ISO 27001 Annex A 5.37 (Step-by-Step)

Documented operating procedures ensure technical consistency across the business. You must host these instructions where work happens. Use Confluence for wikis or SharePoint for manuals. This makes compliance a cultural habit. It is not a software installation. Start by mapping your core technical processes.

Identify Scope: List all recurring tasks like backups and patching.
Select Tools: Choose internal wikis for accessibility.
Draft Content: Write clear, active instructions for each task.
Enable Control: Use SharePoint permissions to protect against unauthorised edits.
Review Cycles: Set Jira reminders for annual procedural reviews.

ISO 27001 Annex A 5.37 Audit Evidence Checklist

Focus on manual records and internal document versions. These prove human oversight and intent. Use these items to satisfy your auditor.

Technical wikis in Confluence with clear ownership.
Approved manuals stored in version-controlled SharePoint libraries.
Evidence of staff training on new procedures.
Jira workflow logs showing procedure links in active tickets.
Meeting minutes from management reviews of operational performance.

Relational Mapping

Clause 8.1: Operational planning and control requirements.
Annex A 8.13: Information backup procedures.
Annex A 8.19: Installation of software on operational systems.

Auditor Interview

Auditor: How do your engineers find the correct instructions for server hardening?

Manager: We maintain all hardening guides in our Confluence technical wiki. Engineers access them via links in their Jira build tickets.

Auditor: Can you show me the version history for your backup procedure?

Manager: Yes. The SharePoint audit log shows the last update was reviewed in October.

Common Non-Conformities

Failure Mode	Auditor Observation	Remediation Action
Automated Complacency	The team uses a SaaS platform template. No staff member has read or modified it.	Draft bespoke procedures in SharePoint that reflect your actual systems.
Oral Tradition	Procedures exist but staff learn them by word of mouth. No written record exists.	Document the “unwritten rules” in a shared Confluence space.
Outdated Manuals	Procedures describe systems that were decommissioned three years ago.	Implement a formal quarterly review cycle using Jira tasks.

Frequently Asked Questions

What is the main requirement of Annex A 5.37?

Bottom Line Up Front: You must document procedures for all information security tasks. These documents must be available to the staff who perform the work. Using internal wikis ensures the team can access them easily. This creates a reliable and repeatable security environment for the business.

How detailed should an operating procedure be?

Bottom Line Up Front: Procedures should be detailed enough for a competent person to follow. They should not be overly complex. Focus on clear steps and required outcomes. Use screenshots and internal wiki formatting to improve clarity for your technical teams.

Can we use video guides as documented procedures?

Bottom Line Up Front: Yes, video guides are acceptable if they are managed. You must store them in a secure organizational repository. They require version control and regular review just like text. Document the location of these videos in your SharePoint master list.

LA CASA DE CERTIFICACIÓN