ISO 27001:2022 Annex A 5.37 Checklist Guide •

ISO 27001:2022 Annex A 5.37 Checklist Guide

See how ISMS.online can help your business

See it in action
By Max Edwards | Updated 15 August 2024

Utilising a comprehensive checklist for A.5.37 Documented Operating Procedures ensures thorough compliance, enhances operational consistency, and mitigates security risks effectively. This approach supports robust information security management and promotes business continuity by maintaining well-documented, accessible procedures.

Jump to topic

ISO 27001 A.5.37 Documented Operating Procedures Checklist

A.5.37 Documented Operating Procedures is a critical control within ISO/IEC 27001:2022, focusing on the need for organisations to establish, maintain, and effectively communicate documented operating procedures. These procedures are fundamental for ensuring consistent, secure, and reliable operations across the organisation.

We will cover the purpose, key elements, common challenges, ISMS.online solutions, and provide a comprehensive compliance checklist to ensure full understanding and adherence to A.5.37. Additionally, relevant ISO 27001:2022 clauses and requirements are associated with each section to provide a comprehensive approach.

Scope of Annex A.5.37

The primary objective of A.5.37 is to guarantee that all operational activities are executed consistently and controlled effectively, thereby enhancing the security and reliability of information processing facilities. This control ensures that operations are not left to individual discretion, which can lead to inconsistencies and potential security breaches.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Why Should You Comply With Annex A.5.37? Key Aspects and Common Challenges

1. Procedure Documentation:

Creation:

Develop comprehensive operating procedures that detail each operational task or process.

    Challenge: Ensuring completeness and clarity in documentation can be time-consuming and may require significant expertise.

  • Solution: Use Policy Templates and Policy Pack to streamline the creation process with predefined structures and guidelines.
  • Related ISO 27001 Clauses: 7.5.1, 8.1

Compliance Checklist:

Use predefined policy templates.

Develop comprehensive task/process details.

Ensure clarity and completeness of documentation.

Standardisation:

Ensure that procedures are standardised across the organisation to avoid discrepancies and ensure uniformity in operations.

    Challenge: Achieving consistency across departments with varying processes can be difficult.

  • Solution: Utilise Document Templates and Collaboration Tools to maintain a consistent format and approach.
  • Related ISO 27001 Clauses: 7.5.2, 8.1

Compliance Checklist:

Implement standardised document templates.

Use collaboration tools for consistency.

Review procedures for uniformity across departments.

2. Availability and Accessibility:

Accessibility:

Make sure that all relevant personnel have access to these documented procedures.

    Challenge: Ensuring secure yet widespread access to sensitive documents can be complex.

  • Solution: Implement Document Access controls to manage who can view and edit procedures, ensuring secure accessibility.
  • Related ISO 27001 Clauses: 7.5.3, 7.4

Compliance Checklist:

Set up secure document access controls.

Ensure relevant personnel have access.

Regularly review access permissions.

Storage:

Store procedures in a secure and accessible location, such as a centralised documentation management system.

    Challenge: Centralising documentation in a way that is both secure and easily accessible can be challenging.

  • Solution: Leverage a centralised documentation management system with robust security features.
  • Related ISO 27001 Clauses: 7.5.3, 8.1

Compliance Checklist:

Use a centralised documentation management system.

Implement robust security features for storage.

Regularly audit storage security.

3. Approval and Version Control:

Approval Process:

Establish a formal approval process for all procedures to ensure they are reviewed and authorised by appropriate personnel.

    Challenge: Coordinating approvals can be time-consuming and may lead to bottlenecks.

  • Solution: Use Version Control and automated workflows to streamline the approval process and ensure timely updates.
  • Related ISO 27001 Clauses: 7.5.2, 9.1

Compliance Checklist:

Implement an automated approval workflow.

Ensure all procedures are reviewed and authorised.

Track approval status and manage bottlenecks.

Version Control:

Implement version control mechanisms to track changes and ensure that only the latest approved versions are in use.

    Challenge: Managing multiple versions of documents can lead to confusion and errors.

  • Solution: Implement strict Version Control and Retention policies to maintain the integrity of documentation.
  • Related ISO 27001 Clauses: 7.5.3, 9.2

Compliance Checklist:

Set up version control mechanisms.

Maintain a history of document changes.

Ensure only the latest versions are in use.

4. Training and Awareness:

Training:

Provide training to all relevant employees to ensure they understand and can effectively follow the documented procedures.

    Challenge: Ensuring comprehensive and ongoing training across the organisation can be resource-intensive.

  • Solution: Develop and assign Training Modules, and use Training Tracking to monitor completion and effectiveness.
  • Related ISO 27001 Clauses: 7.2, 7.3

Compliance Checklist:

Develop comprehensive training modules.

Assign training to relevant employees.

Track training completion and effectiveness.

Awareness Programmes:

Conduct awareness programmes to highlight the importance of adhering to these procedures and the impact on overall security.

    Challenge: Keeping employees engaged and aware of the importance of procedures over time.

  • Solution: Utilise Alert and Notification Systems to keep employees informed about updates and the importance of compliance.
  • Related ISO 27001 Clauses: 7.3, 7.4

Compliance Checklist:

Conduct regular awareness programmes.

Use alerts and notifications for updates.

Monitor employee engagement and understanding.

5. Review and Update:

Periodic Review:

Regularly review procedures to ensure they remain current and effective.

    Challenge: Allocating time and resources for regular reviews can be difficult, especially in dynamic environments.

  • Solution: Schedule and automate review processes using the Compliance and Audit Management features.
  • Related ISO 27001 Clauses: 9.1, 10.1

Compliance Checklist:

Schedule regular reviews of procedures.

Automate review processes where possible.

Document and track review outcomes.

Updates:

Update procedures as necessary to reflect changes in technology, processes, or security requirements.

    Challenge: Keeping documentation up-to-date amidst constant changes in technology and processes.

  • Solution: Use Version Control and automated workflows to facilitate timely updates and ensure all changes are tracked.
  • Related ISO 27001 Clauses: 7.5.2, 8.1

Compliance Checklist:

Implement automated workflows for updates.

Ensure timely updates to reflect changes.

Track all changes and maintain documentation.

Benefits of Compliance

  • Consistency: Ensures that all employees perform tasks in a consistent manner, reducing errors and increasing efficiency.
  • Security: Enhances the security of operations by providing clear guidelines on how tasks should be performed.
  • Compliance: Helps in maintaining compliance with regulatory requirements by documenting and controlling operational processes.
  • Business Continuity: Supports business continuity by ensuring that operations can be maintained even if key personnel are unavailable.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISMS.online Features for Demonstrating Compliance with A.5.37

  • Policy Management:

    • Policy Templates and Policy Pack: Utilise predefined templates to create comprehensive operating procedures.
    • Version Control: Manage different versions of operating procedures, ensuring only the latest versions are accessible.
    • Document Access: Control who can access, edit, and approve operating procedures.
  • Training:

    • Training Modules: Develop and assign training modules to ensure all employees are familiar with the documented procedures.
    • Training Tracking: Monitor the completion of training to ensure all relevant personnel are adequately trained.
  • Documentation:

    • Document Templates: Use document templates to ensure consistency in procedure documentation.
    • Collaboration Tools: Facilitate collaboration among team members to create and refine operating procedures.
    • Version Control and Retention: Implement strict version control and retention policies to maintain the integrity of documentation.
  • Communication:

    • Alert System and Notification System: Send alerts and notifications to relevant personnel about updates or changes to operating procedures.
    • Collaboration Tools: Enhance communication and collaboration in developing and updating procedures.
  • Audit Management:

    • Audit Templates and Audit Plan: Plan and conduct audits to ensure compliance with documented procedures.
    • Corrective Actions and Documentation: Track and document corrective actions to address non-compliance issues.

Implementation Tips

  • Collaboration: Involve relevant stakeholders in the development of operating procedures to ensure all perspectives are considered.
  • Detail Orientation: Ensure procedures are detailed enough to guide users but not overly complex to discourage use.
  • Feedback Mechanism: Establish a mechanism for employees to provide feedback on procedures, allowing for continuous improvement.

Detailed Annex A.5.37 Compliance Checklist

Procedure Documentation:

Use predefined policy templates.

Develop comprehensive task/process details.

Ensure clarity and completeness of documentation.

Implement standardised document templates.

Use collaboration tools for consistency.

Review procedures for uniformity across departments.

Availability and Accessibility:

Set up secure document access controls.

Ensure relevant personnel have access.

Regularly review access permissions.

Use a centralised documentation management system.

Implement robust security features for storage.

Regularly audit storage security.

Approval and Version Control:

Implement an automated approval workflow.

Ensure all procedures are reviewed and authorised.

Track approval status and manage bottlenecks.

Set up version control mechanisms.

Maintain a history of document changes.

Ensure only the latest versions are in use.

Training and Awareness:

Develop comprehensive training modules.

Assign training to relevant employees.

Track training completion and effectiveness.

Conduct regular awareness programmes.

Use alerts and notifications for updates.

Monitor employee engagement and understanding.

Review and Update:

Schedule regular reviews of procedures.

Automate review processes where possible.

Document and track review outcomes.

Implement automated workflows for updates.

Ensure timely updates to reflect changes.

Track all changes and maintain documentation.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Every Annex A Control Checklist Table

ISO 27001 Annex A.5 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.5.1Policies for Information Security Checklist
Annex A.5.2Information Security Roles and Responsibilities Checklist
Annex A.5.3Segregation of Duties Checklist
Annex A.5.4Management Responsibilities Checklist
Annex A.5.5Contact With Authorities Checklist
Annex A.5.6Contact With Special Interest Groups Checklist
Annex A.5.7Threat Intelligence Checklist
Annex A.5.8Information Security in Project Management Checklist
Annex A.5.9Inventory of Information and Other Associated Assets Checklist
Annex A.5.10Acceptable Use of Information and Other Associated Assets Checklist
Annex A.5.11Return of Assets Checklist
Annex A.5.12Classification of Information Checklist
Annex A.5.13Labelling of Information Checklist
Annex A.5.14Information Transfer Checklist
Annex A.5.15Access Control Checklist
Annex A.5.16Identity Management Checklist
Annex A.5.17Authentication Information Checklist
Annex A.5.18Access Rights Checklist
Annex A.5.19Information Security in Supplier Relationships Checklist
Annex A.5.20Addressing Information Security Within Supplier Agreements Checklist
Annex A.5.21Managing Information Security in the ICT Supply Chain Checklist
Annex A.5.22Monitoring, Review and Change Management of Supplier Services Checklist
Annex A.5.23Information Security for Use of Cloud Services Checklist
Annex A.5.24Information Security Incident Management Planning and Preparation Checklist
Annex A.5.25Assessment and Decision on Information Security Events Checklist
Annex A.5.26Response to Information Security Incidents Checklist
Annex A.5.27Learning From Information Security Incidents Checklist
Annex A.5.28Collection of Evidence Checklist
Annex A.5.29Information Security During Disruption Checklist
Annex A.5.30ICT Readiness for Business Continuity Checklist
Annex A.5.31Legal, Statutory, Regulatory and Contractual Requirements Checklist
Annex A.5.32Intellectual Property Rights Checklist
Annex A.5.33Protection of Records Checklist
Annex A.5.34Privacy and Protection of PII Checklist
Annex A.5.35Independent Review of Information Security Checklist
Annex A.5.36Compliance With Policies, Rules, and Standards for Information Security Checklist
Annex A.5.37Documented Operating Procedures Checklist


ISO 27001 Annex A.6 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.6.1Screening Checklist
Annex A.6.2Terms and Conditions of Employment Checklist
Annex A.6.3Information Security Awareness, Education and Training Checklist
Annex A.6.4Disciplinary Process Checklist
Annex A.6.5Responsibilities After Termination or Change of Employment Checklist
Annex A.6.6Confidentiality or Non-Disclosure Agreements Checklist
Annex A.6.7Remote Working Checklist
Annex A.6.8Information Security Event Reporting Checklist


ISO 27001 Annex A.7 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.7.1Physical Security Perimeters Checklist
Annex A.7.2Physical Entry Checklist
Annex A.7.3Securing Offices, Rooms, and Facilities Checklist
Annex A.7.4Physical Security Monitoring Checklist
Annex A.7.5Protecting Against Physical and Environmental Threats Checklist
Annex A.7.6Working in Secure Areas Checklist
Annex A.7.7Clear Desk and Clear Screen Checklist
Annex A.7.8Equipment Siting and Protection Checklist
Annex A.7.9Security of Assets Off-Premises Checklist
Annex A.7.10Storage Media Checklist
Annex A.7.11Supporting Utilities Checklist
Annex A.7.12Cabling Security Checklist
Annex A.7.13Equipment Maintenance Checklist
Annex A.7.14Secure Disposal or Re-Use of Equipment Checklist


ISO 27001 Annex A.8 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.8.1User Endpoint Devices Checklist
Annex A.8.2Privileged Access Rights Checklist
Annex A.8.3Information Access Restriction Checklist
Annex A.8.4Access to Source Code Checklist
Annex A.8.5Secure Authentication Checklist
Annex A.8.6Capacity Management Checklist
Annex A.8.7Protection Against Malware Checklist
Annex A.8.8Management of Technical Vulnerabilities Checklist
Annex A.8.9Configuration Management Checklist
Annex A.8.10Information Deletion Checklist
Annex A.8.11Data Masking Checklist
Annex A.8.12Data Leakage Prevention Checklist
Annex A.8.13Information Backup Checklist
Annex A.8.14Redundancy of Information Processing Facilities Checklist
Annex A.8.15Logging Checklist
Annex A.8.16Monitoring Activities Checklist
Annex A.8.17Clock Synchronisation Checklist
Annex A.8.18Use of Privileged Utility Programs Checklist
Annex A.8.19Installation of Software on Operational Systems Checklist
Annex A.8.20Networks Security Checklist
Annex A.8.21Security of Network Services Checklist
Annex A.8.22Segregation of Networks Checklist
Annex A.8.23Web Filtering Checklist
Annex A.8.24Use of Cryptography Checklist
Annex A.8.25Secure Development Life Cycle Checklist
Annex A.8.26Application Security Requirements Checklist
Annex A.8.27Secure System Architecture and Engineering Principles Checklist
Annex A.8.28Secure Coding Checklist
Annex A.8.29Security Testing in Development and Acceptance Checklist
Annex A.8.30Outsourced Development Checklist
Annex A.8.31Separation of Development, Test and Production Environments Checklist
Annex A.8.32Change Management Checklist
Annex A.8.33Test Information Checklist
Annex A.8.34Protection of Information Systems During Audit Testing Checklist


How ISMS.online Help With A.5.37

Ready to elevate your information security management and ensure seamless compliance with ISO 27001:2022?

Discover how ISMS.online can transform your approach to managing documented operating procedures and other critical controls. Our comprehensive platform is designed to streamline your processes, enhance security, and ensure regulatory compliance with ease.

Don’t miss out on the opportunity to see ISMS.online in action. Contact us today to schedule a personalised demo and experience firsthand how our powerful features can support your organisation’s compliance journey.

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Explore ISMS.online's platform with a self-guided tour - Start Now