This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.37 Documented operating procedures.
ISO 27001: 2022 Control Description
Operating procedures for information processing facilities shall be documented and made available to personnel who need them.
Purpose
To ensure the correct and secure operation of information processing facilities.
Guidance
Documented procedures should be prepared for the organisation’s operational activities associated with information security, such as:
a) when the activity needs to be performed consistently by many individuals;
b) when the activity is infrequent and may be forgotten by the time it is next performed;
c) when the activity is new and presents a risk if not performed correctly;
d) before handing over the activity to new personnel.
The operating procedures should specify:
a) the responsible individuals;
b) the secure installation and configuration of systems;
]c) the processing and handling of information, both automated and manual;
d) backup and resilience;
e) scheduling requirements, including interdependencies with other systems;
f) instructions for handling errors or other exceptional conditions (e.g. restrictions on the use of utility programs that may arise during job execution);
g) support and escalation contacts, including external support contacts for unexpected operational or technical difficulties;
h) instructions for handling storage media;
i) system restart and recovery procedures for use in the event of system failure;
j) the management of audit trail and system log information, and video monitoring systems;
k) monitoring procedures such as capacity, performance, and security;
l) maintenance instructions.
Documented operating procedures should be reviewed and updated as necessary.
Changes to documented operating procedures should be authorised.
Where technically feasible, information systems should be managed consistently using the same procedures, tools, and utilities.