Episode 41 — A.5.37 — Documented operating procedures
Within every mature Information Security Management System, documented operating procedures serve as the connective tissue that turns policy into practice. Policies articulate intent—what the organization aims to do—but procedures define how those intentions are realized day to day. Control A.5.37 exists to ensure that security and operational tasks are executed predictably, repeatably, and consistently across the enterprise. A well-documented procedure provides clarity in moments of pressure, continuity during staff turnover, and assurance during audits. It transforms theoretical governance into tangible, auditable action. In effect, documented procedures form the operational backbone of the ISMS—the bridge between management commitment and practical execution at every level of the organization.
The scope of A.5.37 extends across all functional areas, not just the IT department. It applies to any activity where consistency and accuracy are vital to maintaining security or compliance. This includes technical operations like system configuration and backup routines, administrative actions such as onboarding employees or managing supplier relationships, and physical security tasks like visitor access control or handling of confidential documents. Procedures should also cover outsourced or supplier-performed functions to ensure continuity of control beyond the organization’s immediate boundaries. By requiring documentation, A.5.37 aligns everyday operations with higher-level policies, closing the gap between strategic intent and operational behavior.
Effective procedures share several common qualities that distinguish them from generic instructions. They are concise, written in plain language that practitioners can easily understand, and tailored to the skill level of their intended audience. Each procedure must undergo review and formal approval before distribution, ensuring accuracy and authorization. Procedures should align with the organization’s risk management framework, legal obligations, and compliance standards, making them not just operational guides but instruments of assurance. Accessibility also matters: staff must be able to find current procedures easily, yet repositories must remain secure from unauthorized modification. This balance of availability and protection ensures reliability without compromising control integrity.
The design of a procedure should fit the complexity of the task it supports. Simple, repeatable actions—such as user account termination or daily log reviews—work best as linear step-by-step lists. More dynamic processes benefit from decision logic that accounts for variable conditions, guiding staff through branching options based on observed outcomes. Complex or multi-team operations may require visual diagrams or workflow maps to clarify sequences and dependencies. Highly automated technical environments might rely on detailed runbooks, specifying not just steps but scripts, tools, and validation checks. These varied design approaches allow procedures to be both efficient and adaptable, ensuring that they serve as practical references rather than bureaucratic artifacts.
A.5.37 applies directly to numerous ISMS-relevant operations where procedural consistency is critical. Backup and restoration runbooks ensure that data can be recovered predictably and securely during outages or incidents. Onboarding procedures define how new employees or suppliers are granted access, guaranteeing that identity verification and least-privilege principles are applied every time. Physical document handling steps prevent unauthorized viewing or removal of classified materials. Patch management and rollout procedures coordinate testing, validation, and deployment to minimize risk of disruption. Each example represents an area where procedural clarity reduces human error and transforms security from a reactive habit into a managed process.
Clear ownership and accountability reinforce procedural reliability. Every documented procedure must have an assigned process owner responsible for its accuracy, maintenance, and periodic review. Deputies ensure continuity when the primary owner is unavailable, while approvers—often managers or compliance officers—validate that content meets organizational standards. Escalation paths should be built into procedures so that staff know what to do if exceptions arise. Ownership is more than administrative detail; it’s a control mechanism that ensures no process operates in ambiguity. When responsibility is explicit, updates occur promptly, gaps close quickly, and compliance stays verifiable.
Document control and versioning protect the credibility of the procedural library. A central repository—often integrated with the ISMS document management system—must track changes through audit trails showing what was modified, by whom, and when. Each procedure should display its version number, approval date, and next scheduled review. Historical versions must be archived for reference but clearly marked as obsolete to prevent accidental use. Obsolete or superseded procedures should be formally withdrawn, with communication to all affected teams. These document control practices ensure that staff always act on the most current guidance and that auditors can trace procedural evolution over time.
Integrating documented procedures into training and onboarding programs ensures that knowledge moves seamlessly from paper to practice. New employees must be introduced to the procedures relevant to their roles during induction. Refresher sessions should highlight updates or changes resulting from lessons learned, audits, or incidents. Drills and simulations—particularly for incident response or business continuity scenarios—should use the exact steps outlined in procedures to validate their clarity and realism. Competence records under Clause 7.2 can then demonstrate that staff have both been exposed to and practiced the prescribed steps. This integration transforms procedures from static documents into living tools that shape capability and culture alike.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
When procedures are poorly designed, outdated, or ignored, the risks multiply quickly. Inconsistent execution of sensitive activities, such as system backups or access provisioning, can lead to service failures or security incidents. Unclear instructions cause confusion during emergencies, where hesitation or improvisation can turn minor disruptions into major crises. Relying on institutional memory rather than written guidance makes operations dependent on specific individuals—an unsustainable model when turnover or absence occurs. Auditors may also detect gaps between expected and actual practices, resulting in nonconformities or findings that erode the organization’s credibility. Weak procedures introduce variability into processes that should be standardized, undermining the ISMS’s goal of consistent, accountable security management.
The implementation of A.5.37 must adapt to organizational scale and complexity. Smaller companies may use lightweight guides, checklists, or wikis to capture essential procedures in accessible form without bureaucratic overhead. Larger enterprises benefit from structured templates and workflow systems that link procedures directly to ticketing, change management, or IT service management (ITSM) tools. Global organizations face additional challenges: procedures must often be multilingual and aligned across jurisdictions to accommodate cultural and regulatory differences. Integration with automation platforms, such as orchestration or workflow applications, can ensure procedural adherence even in highly technical environments. Regardless of format, the key principle remains clarity—procedures must guide action without ambiguity, delay, or interpretation gaps.
Human factors play a decisive role in whether procedures succeed. If guidance is overly complex or buried in document libraries, employees will default to shortcuts. Effective procedure design focuses on usability: simple formatting, logical progression, and clear headings for rapid reference. Encouraging user feedback helps refine procedures, ensuring they remain practical and relevant. Leadership endorsement reinforces their importance—when managers visibly reference and enforce documented steps, compliance follows naturally. Over time, this builds a culture where “follow the procedure” becomes a shared expectation, not a bureaucratic demand. Cultural adoption turns A.5.37 from an administrative task into a behavioral norm that supports reliability, safety, and confidence across all levels of the organization.
The connection between A.5.37 and other ISO controls highlights its integrative value. Policies defined under A.5.1 provide direction, but procedures translate that intent into tangible action. Roles and responsibilities from A.5.2 are operationalized through specific procedural assignments. Asset handling and labeling practices in A.5.9–A.5.13 depend on written workflows for consistency. Incident response under A.5.25–A.5.26 relies on documented runbooks that guide containment, eradication, and recovery. Even performance monitoring under Clause 9.1 references procedures as the baseline for what “expected behavior” looks like. In this way, documented procedures serve as the connective thread linking governance, control execution, and measurement across the entire ISMS.
Examples from different industries demonstrate the universality of this control. In banking, formalized access provisioning steps prevent accidental or unauthorized privilege escalation, ensuring regulatory compliance. A hospital’s documented patient data transfer procedures protect privacy while maintaining continuity of care during system updates or outages. Telecommunications providers maintain detailed network recovery guides, allowing technicians to restore service efficiently during outages. In education, universities document exam data storage and grading procedures to preserve academic integrity. Though the content differs by sector, the underlying purpose remains the same: ensuring reliability, accountability, and evidence-based operation.
Verification during audits provides the real test of procedural maturity. Auditors request copies of operating procedures, then observe their application in practice—verifying whether employees follow written steps and whether controls produce the intended results. They examine accessibility, ensuring that relevant staff can retrieve procedures easily and that obsolete versions have been withdrawn. Discrepancies between documentation and execution often lead to corrective actions, prompting organizations to update either their processes or their records. This continuous cycle of verification and improvement ensures that procedures evolve in step with technology, regulation, and organizational change, maintaining their relevance and effectiveness over time.
In the long term, well-documented procedures yield resilience and confidence. They ensure that tasks are executed consistently, even under stress or personnel changes. During crises, documented workflows guide staff through uncertainty, preserving control and reducing the risk of costly errors. For management, they provide transparency—clear visibility into how work is done and whether controls are being followed. For auditors, they provide a tangible record of accountability. And for the organization as a whole, they reduce dependency on individual expertise, turning knowledge into institutional capability. In a world where continuity and assurance define success, documented procedures provide both stability and trust.
A.5.37 therefore marks the culmination of the A.5 control set—a control that brings together governance, risk management, and operations into a single framework of repeatable, auditable execution. It demands that procedures be documented, maintained, and accessible so that no critical process depends solely on memory or improvisation. The evidence of these procedures, supported by ownership and version control, sustains the organization’s credibility under audit and daily operation alike. In the next episode, the A.5 controls will be unified into a capstone analysis—illustrating how their interdependence forms the foundation of an integrated, resilient, and continually improving Information Security Management System.
