All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Documented operating procedures

Annex A control 5.37 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 12.1.1

Control 5.37 treats information security as an operational activity, meaning it requires care, guidance and review. The constituent elements of information security should be carried out or managed by individuals, and Annex 5.37 highlights the operational procedures needed to maintain an organisation’s information security framework.

These procedures are designed to help organisations meet the documented needs of effective information security management, ensuring that data protection remains secure and efficient across the entire organisation.

Key operational considerations of control 5.37

According to control 5.37, procedures relating to information security should be developed with five key operational considerations in mind. These are:

  1. Instances in which one of more individuals perform an activity in the same way.
  2. Activities which are not performed frequently.
  3. Procedures which are at risk of being overlooked.
  4. New or unfamiliar activities which staff are less certain about, meaning higher risk.
  5. Transferring responsibility for carrying out an activity from one employee or group to another.

Outlining operational procedures for information security

Should any of the above instances occur, it’s important for businesses to follow clearly defined operating procedures of what actions should be taken. Annex 5.37 stipulates that these procedures must outline:

  • The individuals responsible for the activity, from incumbents to new operators
  • Steps for maintaining security during system installation and configuration
  • The way information will be processed throughout the activity
  • Implications and plans in case of disaster or data loss
  • Links between dependencies and any other systems, such as scheduling
  • Procedures for handling errors or miscellaneous events
  • A list of contactable personnel in the event of disruption
  • Operational instructions for storage media relevant to the activity
  • Instructions for recovery and rebooting in the event of a system failure
  • Audit trail logging, including event logs and system logs
  • Onsite activity observations systems
  • Monitoring systems catering to performance potential, operational capacity and activity security
  • Knowing what should be done to maintain activities and optimal performance levels

What’s changed since 2013?

Replacing ISO 27001:2013 Annex A 12.1.1, 2022’s control 5.37 expands on the same material by delivering a broader set of circumstances in which adherence to documented procedure would be warranted.

Expanding the scope of 2013’s control, 2022’s control 5.37 discussed generalised activities rather than being limited to specific technical functions. It also highlights the importance of categorising the individuals responsible for an activity.