When a critical backup restoration fails at 2 a.m. and the only person who knew the recovery sequence left the company three months ago, the cost of undocumented procedures becomes painfully concrete. ISO 27001 Control 5.37 exists to prevent exactly this scenario by requiring organizations to document, maintain, and distribute the operating procedures that keep information processing facilities running securely and consistently.
What 5.37 requires
ISO 27001 Control 5.37 requires organizations to create, maintain, and disseminate detailed documented operating procedures for all information processing facilities to ensure consistent, secure, and correct execution of operational tasks by authorized personnel. In practical terms, this means every system, application, or infrastructure component that processes information needs written procedures covering how it’s operated day to day.
The control’s scope extends beyond routine tasks. Organizations must document procedures for:
- Secure installation and configuration: Step-by-step processes for deploying systems to approved baselines
- Information processing and handling: How data moves through systems, including classification-specific handling requirements
- Backup execution and verification: Schedules, methods, retention periods, and restoration testing protocols
- Scheduling and interdependencies: Job scheduling sequences, upstream/downstream dependencies, and timing constraints
- Error and exception handling: What to do when processes fail, including diagnostic steps and workarounds
- Escalation contacts: Named individuals or roles responsible for each tier of escalation, with current contact details
- Storage media management: Procedures for handling, transporting, and disposing of physical and digital media
- System restart and recovery: Sequences for restarting services after planned or unplanned outages
- Audit trail management: How logs are collected, stored, protected, and reviewed
- Monitoring procedures: What gets monitored, alerting thresholds, and response actions for each alert type
- Maintenance windows: Scheduled maintenance processes, including pre-checks, execution steps, and post-maintenance validation
These aren’t policy statements. They’re operational instructions detailed enough that a qualified person unfamiliar with a specific system could follow them and achieve the intended outcome.
Why 5.37 matters
Organizations that fail to document operating procedures often discover the gap during an incident, when a backup restoration fails because the only person who knew the recovery sequence left the company. This isn’t a theoretical risk. According to Verizon’s Data Breach Investigations Report, 68% of all data breaches involve the human element, and undocumented procedures amplify human error by forcing staff to rely on memory, guesswork, or improvisation during high-pressure situations.
The real cost of missing documentation goes beyond audit findings. Without standardized procedures, organizations face inconsistent execution across teams and shifts, where one administrator patches systems differently than another. They experience prolonged incident response times because responders waste critical minutes figuring out what to do instead of executing a known playbook. Knowledge loss accelerates during staff turnover, and operational debt compounds as tribal knowledge accumulates without ever being captured. The compounding effect is particularly dangerous because it’s invisible until something breaks. An organization might operate for years with undocumented procedures that work fine under normal conditions, only to discover during an incident or audit that no one can reproduce a critical process reliably.
Framing 5.37 purely as a compliance checkbox misses the point. Documented procedures are an operational resilience mechanism. They reduce the attack surface created by human inconsistency and ensure that security controls actually function the way they were designed to, not just the way one person remembers implementing them. That consistency is foundational to any risk management framework.
What attackers exploit
Undocumented environments create specific attack opportunities:
- Configuration blind spots where undocumented system settings drift from security baselines without anyone noticing
- Inconsistent patching across environments, leaving known vulnerabilities unaddressed on systems that fell outside the documented scope
- Missing escalation paths that delay incident response, giving attackers more dwell time in compromised networks
- Ad-hoc access provisioning that bypasses approval workflows, creating unauthorized access that no one tracks
- Absent offboarding procedures that leave orphaned accounts active long after employees depart
- Unverified backups that make ransomware recovery uncertain because no one documented or tested the restoration process
How to implement 5.37
For your organization
Implementation starts with knowing what you have and who owns it. Most organizations underestimate this first step, but you can’t document procedures for systems you haven’t inventoried. The following seven steps provide a practical path from initial assessment through ongoing maintenance.
1. Inventory information processing facilities and assign owners. Catalog every system, application, and infrastructure component that processes organizational information. Each facility needs a designated owner accountable for its procedures. Include cloud services, SaaS platforms, and managed infrastructure alongside on-premises systems.
2. Identify which activities require documented procedures. Not every task needs a formal Standard Operating Procedure (SOP). Prioritize activities that require uniform execution across staff, are performed infrequently enough that steps might be forgotten, involve new or changed processes, or require handover between teams or shifts.
3. Write procedures with operational detail. Each procedure should cover the elements listed in the control’s guidance: secure installation, information processing, backup execution, scheduling dependencies, error handling, escalation contacts, storage media management, restart/recovery sequences, audit trail management, monitoring, and maintenance activities. Write at the level of step-by-step instructions, not policy language. A good test: could someone with the right technical skills but no prior knowledge of this specific system follow the procedure successfully?
4. Implement version control. Every procedure document needs a unique identifier, version number, last-reviewed date, next-review date, and approver name. Store revision history so auditors can verify the document lifecycle. When a procedure is updated, the previous version should remain accessible for comparison so teams can understand what changed and why. Effective documentation in IT governance depends on this traceability.
5. Centralize and make procedures accessible. Use a document management system, wiki (Confluence, SharePoint), or IT Service Management (ITSM) platform where authorized personnel can find procedures when they need them. Procedures buried in email attachments or personal drives don’t satisfy this control. Consider tagging procedures by system, criticality, and owning team so staff can locate the right document under pressure. The faster someone can find a procedure during an incident, the more value it delivers.
6. Schedule regular reviews. Review all procedures at least annually, plus after any significant system change, security incident, or organizational restructuring. Document the review outcome even if no changes were needed. Stale procedures create false confidence that documented guidance exists when it no longer reflects reality. Tie review cycles to your change management process so that system updates automatically trigger a procedure review.
7. Train personnel and verify compliance. Distribute relevant procedures to everyone who needs them, collect acknowledgment, and periodically verify that staff actually follow documented processes. The gap between documented procedures and actual practice is one of the most common audit findings. An ISO 27001 implementation checklist can help track progress across all required controls.
Common implementation mistakes:
- Writing procedures once during certification and never updating them
- Documenting at too high a level, producing policy-like statements instead of actionable steps
- Storing procedures where staff can’t find them during an incident
- Never testing procedures, especially backup and recovery processes
- Treating documentation as a compliance exercise rather than an operational tool
For your vendors
When assessing third-party risk requirements of ISO 27001, request evidence that documented procedures exist and are actively maintained. Vendors who process your data or manage your systems are an extension of your operational environment, and their procedural gaps become your risk exposure.
Questionnaire questions to include:
- Do you maintain documented operating procedures for all information processing facilities?
- How are procedures reviewed and updated, and on what schedule?
- Who has access to operational procedures, and how is access controlled?
- Can you provide sample SOPs for backup, incident response, or change management?
Evidence to request: Sample SOPs for critical processes, version control logs showing revision history, review schedules with completion records, and training acknowledgment records.
Red flags during assessment:
- Generic policies with no operational detail
- No evidence of review dates or version history
- Procedures that don’t match actual system configurations observed during technical assessments
- Inability to produce specific SOPs when asked
- Procedures authored years ago with no subsequent revisions
A structured vendor risk assessment can help formalize this evaluation process.
Audit evidence for 5.37
Auditors verify that documented procedures exist, are current, are accessible, and are followed in practice. Prepare the following evidence artifacts before a certification or surveillance audit. For a complete walkthrough, see how to prepare for an ISO 27001 audit.
| Evidence type | Example artifact |
|---|---|
| Operating procedures manual | Documented SOPs for backup execution, system restart sequences, and patch deployment workflows |
| Version control records | Document management system logs showing revision history, approval dates, and author attribution |
| Procedure review schedule | Annual review calendar with completion dates and responsible owners for each SOP |
| Training records | Sign-off logs confirming personnel have read and understood relevant procedures |
| Access control evidence | Screenshots or exports showing procedure repository access restricted to authorized personnel |
| Change management records | Tickets or approval records showing procedure updates triggered by system changes |
| Backup verification logs | Test restoration records confirming documented backup procedures produce recoverable data |
| Incident response records | Post-incident reports referencing the documented procedure followed during the response |
The strongest audit evidence demonstrates not just that procedures exist on paper, but that they’re actively used in operations. Auditors often cross-reference procedure documents with operational logs, training records, and interview responses to confirm alignment.
Cross-framework mapping
Control 5.37 maps extensively to other compliance frameworks, making documented procedures a shared requirement across multiple regulatory and industry standards.
NIST 800-53 mappings:
| Framework | Equivalent control(s) | Coverage |
|---|---|---|
| NIST 800-53 | AC-01, AT-01, AU-01, CA-01, CM-01, CP-01, IA-01, IR-01, MA-01, MP-01, PE-01, PL-01, PS-01, RA-01, SA-01, SA-05, SC-01, SI-01, SR-01 | Full |
| SOC 2 | CC5.3 (COSO Principle 12 — deploys through policies and procedures) | Partial |
| CIS Controls v8.1 | Control 4.1 (Establish and Maintain a Secure Configuration Process) | Partial |
| NIST CSF 2.0 | GV.PO (Policy) | Partial |
| DORA | Article 9 (ICT risk management framework documentation requirements) | Partial |
The 19 NIST 800-53 “-01” controls each represent the policy and procedures requirement for their respective control family. This means organizations already compliant with NIST 800-53 likely satisfy much of 5.37’s intent, and vice versa. SOC 2, CIS, NIST CSF, and DORA provide partial coverage because they require documented procedures but don’t prescribe the same breadth of operational detail that ISO 27001 5.37 demands.
Related ISO 27001 controls
Control 5.37 doesn’t operate in isolation. It connects functionally to several other Annex A controls across the ISO 27001 compliance framework:
| Control ID | Control name | Relationship |
|---|---|---|
| 5.1 | Policies for information security | Procedures operationalize the policies 5.1 establishes |
| 5.2 | Information security roles and responsibilities | Procedures must assign ownership per the roles defined in 5.2 |
| 5.10 | Acceptable use of information and other associated assets | SOPs enforce acceptable use rules in daily operations |
| 5.24 | Information security incident management planning and preparation | Incident procedures are a key category of documented operations |
| 5.35 | Independent review of information security | Reviews assess whether documented procedures match actual practice |
| 5.36 | Compliance with policies, rules and standards | Compliance verification depends on procedures being documented and followed |
| 8.13 | Information backup | Backup procedures are among the most critical SOPs 5.37 requires |
| 8.15 | Logging | Log management procedures must be documented under 5.37 |
Frequently asked questions
What is ISO 27001 5.37?
ISO 27001 Control 5.37 requires organizations to create, maintain, and distribute documented operating procedures for all information processing facilities. It covers routine operations like backups and maintenance as well as exception handling like incident response and error recovery.
What happens if 5.37 is not implemented?
Without documented procedures, organizations face audit nonconformities that can block ISO 27001 certification. The operational impact includes inconsistent task execution, prolonged incident response, and accelerated knowledge loss during staff turnover.
How do you audit 5.37?
Auditors verify that documented procedures exist for all in-scope facilities, are current (evidenced by review dates), are accessible to relevant personnel, and are actually followed in practice. Expect auditors to select specific procedures and walk through them with the responsible team.
How UpGuard helps
Maintaining documented procedures is one part of a broader security program. The UpGuard platform helps organizations maintain continuous visibility across their attack surface, vendor ecosystem, and workforce risk, giving security teams the context they need to keep operational procedures aligned with their actual risk posture.
- Vendor Risk: Assess and monitor third-party compliance with controls like 5.37 across your entire vendor portfolio
- Breach Risk: Identify external attack surface exposures that may indicate undocumented or misconfigured systems
- User Risk: Discover workforce risks like Shadow IT that fall outside documented procedures