Documented Operating Procedures

It is an organizational control requiring that procedures for the secure and correct operation of information processing facilities be documented, maintained, and made available to the personnel who need them.

An operating procedure includes step-by-step instructions for tasks such as system restarts, automated backups, equipment maintenance, code deployment, handling user access requests, and configuring firewalls.

You should document standard operating procedures (SOP) for IT tasks that affect security, such as capacity management, patching, cryptography key rotation, system monitoring, and incident triage.

A policy dictates the high-level rules (the 'what' and 'why'), an SOP defines the standardized process for a specific operation (the 'how'), and a work instruction provides the granular, step-by-step technical commands to execute it.

Only authorized personnel who require the procedures to perform their duties should have access. This is enforced using role-based access controls (RBAC) on internal wikis or document management systems to prevent unauthorized viewing or tampering.

Auditors look for an Operations Security Policy and ISO 27001 A.5.37 audit evidence such as screenshots of an internal engineering wiki detailing processes like pull requests, or documented technical runbooks.

They should be detailed enough that a trained professional could follow them consistently without relying on undocumented tribal knowledge, thereby reducing the risk of errors during critical operations.

Procedures should be managed in a centralized document control system that tracks version history, enforces peer review (e.g., via pull requests), and requires periodic management review to ensure technical accuracy. WatchDog Security's Policy Management can support this by maintaining a controlled document lifecycle with version history and acceptance tracking for SOP updates.

By hosting ISO 27001 documented procedures in an easily searchable, centralized knowledge base (like Confluence or an internal wiki) and incorporating them into new employee onboarding and continuous training.

Yes, modern IT operations procedures such as automated runbooks, incident playbooks, and structured ticketing templates are excellent examples of documented operating procedures that satisfy this control.

Operating procedures often become outdated when ownership is unclear and changes happen informally, which creates audit and operational risk. WatchDog Security's Policy Management helps teams maintain controlled SOP documentation with version history and acceptance tracking so changes are reviewed, approved, and attributable to defined owners instead of relying on tribal knowledge.

Runbooks can contain privileged details (admin steps, recovery actions, tooling secrets) and should only be available to people who need them. WatchDog Security's Secure File Sharing supports encrypted distribution with access controls, TOTP verification, and audit logs so teams can share sensitive operating procedures while retaining proof of who accessed what and when.