ISO 27001:2022 Annex A Control 5.37: Documented Operating Procedures

Control 5.37 treats information security as an operational activity, meaning it requires care, guidance and review. The constituent elements of information security should be carried out or managed by individuals, and Annex 5.37 highlights the operational procedures needed to maintain an organisation’s information security framework.

These procedures are designed to help organisations meet the documented needs of effective information security management, ensuring that data protection remains secure and efficient across the entire organisation.

Key operational considerations of control 5.37

According to control 5.37, procedures relating to information security should be developed with five key operational considerations in mind. These are:

• Instances in which one or more individuals perform an activity in the same way.
• Activities which are not performed frequently.
• Procedures which are at risk of being overlooked.
• New or unfamiliar activities which staff are less certain about, meaning higher risk.
• Transferring responsibility for carrying out an activity from one employee or group to another.

Outlining operational procedures for information security

Should any of the above instances occur, it’s important for businesses to follow clearly defined operating procedures of what actions should be taken. Annex 5.37 stipulates that these procedures must outline:

• The individuals responsible for the activity, from incumbents to new operators

• Steps for maintaining security during system installation and configuration

• The way information will be processed throughout the activity

• Implications and plans in case of disaster or data loss

• Links between dependencies and any other systems, such as scheduling

• Procedures for handling errors or miscellaneous events

• A list of contactable personnel in the event of disruption

• Operational instructions for storage media relevant to the activity

• Instructions for recovery and rebooting in the event of a system failure

• Audit trail logging, including event logs and system logs

• Onsite activity observation systems

• Monitoring systems catering to performance potential, operational capacity and activity security

• Knowing what should be done to maintain activities and optimal performance levels

What’s changed since 2013?

Replacing ISO 27001:2013 Annex A 12.1.1, 2022’s control 5.37 expands on the same material by delivering a broader set of circumstances in which adherence to documented procedures would be warranted.

Expanding the scope of 2013’s control, 2022’s control 5.37 discussed generalised activities rather than being limited to specific technical functions. It also highlights the importance of categorising the individuals responsible for an activity.