ISO 27001:2022 Annex A Control 5.37
Explaining Annex A Control 5.37 Documented operating procedures
ISO 27001 Control 5.37 mandates the documentation of operating procedures to ensure that information systems are managed securely and consistently. Well-documented procedures help mitigate risks, ensure regulatory compliance, and support business continuity by reducing the impact of operational errors or security incidents.
Control Type
- Preventive
- Corrective
Information Security Properties
- Confidentiality
- Integrity
- Availability
Cybersecurity Concepts
- Protect
- Recover
Operational Capabilities
- Human Resource Security
- Physical Security
- System and Network Security
- Application Security
- Identity and Access Management
- Threat and Vulnerability Management
- Continuity
- Information Security Event Management
Security Domains
- Governance and Ecosystem
- Protection
- Defence
Objective of ISO 27001 Control 5.37
The primary objective of Control 5.37 is to standardize and secure the way your organization operates and manages its information processing facilities. Via documenting operational procedures, your organization can:
- Ensure consistency in executing critical IT and security tasks.
- Reduce operational risks caused by human errors or misconfigurations.
- Maintain business continuity by ensuring employees have clear guidance on operational tasks.
- Meet compliance and regulatory requirements related to IT governance, risk management, and security controls.
- Improve efficiency by streamlining processes across teams and departments.
Purpose of ISO 27001 Control 5.37
The purpose of this control is to protect the integrity, confidentiality, and availability of information processing facilities through structured and documented operational procedures. This control is particularly important in the following scenarios:
When multiple employees perform the same task
Ensuring everyone follows the same process to prevent inconsistencies or security gaps.
When tasks are performed infrequently
Procedures ensure employees can correctly execute rare or complex tasks without errors.
When introducing new processes or technologies
Establishing clear procedures reduces risk when implementing new systems or operational changes.
When handing over responsibilities
Documentation ensures that new employees or teams can seamlessly take over tasks with minimal risk.
Components of Documented Operating Procedures
For ISO 27001 compliance, operating procedures should cover all critical aspects of information processing facilities, including the following:
Assigning Responsibility
Clearly define who is responsible for each documented procedure.
Specify roles and access levels for personnel managing IT systems.
Secure Installation and Configuration of Systems
Guidelines for initial setup and secure configuration of servers, network devices, and applications.
Steps to harden systems to reduce vulnerabilities.
Processing and Handling of Information
Define how sensitive data should be processed, stored, and transmitted securely.
Outline the rules for handling information manually and through automated systems.
Backup and Resilience Measures
Document backup frequencies, storage locations, and retention periods.
Include disaster recovery and data restoration processes.
Scheduling and System Dependencies
Identify scheduled maintenance, updates, and system dependencies.
Ensure interdependent systems are synchronized properly.
Error Handling and Incident Response
Procedures for detecting, responding to, and mitigating errors in systems.
Define escalation processes for security or operational incidents.
Support and Escalation Contacts
Maintain internal and external support contact details for system failures or security breaches.
Document incident reporting protocols.
Storage Media Handling
Secure handling and disposal of hard drives, USBs, and cloud storage.
Compliance with data protection laws for sensitive data.
System Restart and Recovery Procedures
Document step-by-step procedures for restarting systems after an outage or crash.
Define data recovery and restoration procedures to minimize downtime.
Audit Trail and Log Management
Establish guidelines for log retention, access control, and monitoring.
Maintain audit trails for security and compliance tracking.
Monitoring Performance and Security
Document methods for system health checks, performance monitoring, and security audits.
Routine Maintenance
Establish a maintenance schedule for updating systems, patching vulnerabilities, and replacing outdated hardware.
Best Practices for Implementing Documented Operating Procedures
To ensure ISO 27001 compliance and operational efficiency, consider the following best practices:
1. Standardize Your Documentation Format
- Use a consistent structure for all procedures (e.g., purpose, scope, responsibilities, step-by-step actions).
2. Keep Procedures Up-to-Date
- Regularly review and update procedures to reflect changes in systems or regulations.
3. Use a Centralized Documentation System
- Store documents in a secure, easily accessible location for authorized personnel.
4. Train Employees on Procedures
- Conduct regular training sessions to ensure that staff understand and follow documented procedures.
5. Implement a Change Management Process
- Ensure any modifications to procedures are authorized and documented properly.
Relationship to Other ISO 27001 Controls
Control 5.37 is closely linked to several other ISO 27001 controls, including:
- Control 7.4 – Physical security monitoring
- Control 7.10 – Secure handling and disposal of storage media.
- Control 7.14 – Guidelines for secure equipment disposal or reuse.
- Control 8.6 – Capacity management
- Control 8.13 – Data backup policies and procedures.
- Control 8.15 – Logging
- Control 8.16 – Monitoring activities
- Control 8.17 – Clock synchronization
- Control 8.18 – Use of privileged utility programs
How Templates Can Help Your Organization
To facilitate compliance with Control 5.37, your organization can use ready-made ISO 27001 templates to structure and document operational procedures effectively.
- Operating Procedure Documentation Template – Ensures consistency and completeness in operational documentation.
- Backup Policy Template – Aligns with ISO 27001 Control 8.13 for secure backups.
- Recovery Plan Template – Aligns with ISO 27001 Control 8.13 for Recovery plans.
- Audit Trail and Log Management Template – Helps manage log retention policies for compliance.
