A.5.37 Documented Operating Procedures
What is this control?
ISO 27001 control A.5.37 Documented Operating Procedures ensures that operating procedures for information processing facilities are documented, maintained, and made available to personnel who need them. This includes security-relevant IT operations procedures covering system administration, incident response, backup and recovery, change management, and access management. Documentation must be version-controlled, approved, and regularly reviewed.
How to implement in Microsoft 365
Implement A.5.37 by maintaining all operating procedures in a version-controlled SharePoint documentation library with formal approval workflow. Document procedures for critical IT operations including user account management via Entra ID, device enrolment via Intune, backup and restore via AvePoint and Acronis, incident response per A.5.24-27, and change management via Azure DevOps. Ensure procedures are accessible to relevant personnel based on role and responsibility.
Implement annual review cycle for all procedures with documented sign-off. Use metadata tagging for procedure categorisation and searchability.
What an auditor looks for
Auditors will verify a centralised procedure repository exists in SharePoint with version control enabled. They will check procedures cover all critical IT operations including user management, device management, backup, incident response, and change management. Auditors will review evidence of annual review cycle with documented sign-off on procedures.
They will verify procedures are accessible to relevant personnel based on roles. Auditors will check metadata tagging is used for categorisation and that procedures are current and aligned with actual practice.