GRCWatch
Sign inStart free trial

ISO 27001 5.37: Documented Operating Procedures for IT Facilities

Operating procedures are the backbone of consistent, secure information processing. ISO 27001 5.37 requires your organization to document, maintain, and distribute procedures to all personnel who handle IT facilities—ensuring everyone knows how to operate systems safely and consistently. Without this control, you risk operational failures, security gaps, and audit failures.

What this means

Control 5.37 mandates that your organization create and maintain written documentation for all operating procedures related to information processing facilities. These procedures must be current, accurate, and accessible to every employee, contractor, and third party who needs them to perform their role. This includes procedures for system startup/shutdown, backup operations, incident response, access provisioning, and routine maintenance. The control ensures operational consistency, reduces human error, and provides evidence of deliberate, repeatable processes during audits.

How to comply

  1. 1.Inventory all information processing facilities and systems in your environment (servers, databases, networks, cloud services, etc.)
  2. 2.Document step-by-step operating procedures for each facility, covering normal operations, emergency procedures, and troubleshooting
  3. 3.Include procedures for access control, backup/recovery, monitoring, incident response, and maintenance tasks
  4. 4.Assign clear ownership and review dates to each procedure document
  5. 5.Distribute procedures to all personnel who need access via a centralized, searchable repository
  6. 6.Implement a version control system to track procedure updates and maintain audit trails
  7. 7.Train staff on relevant procedures during onboarding and annually thereafter
  8. 8.Review and update procedures annually or whenever system changes occur

Evidence auditors look for

  • Documented procedures for server startup, shutdown, and restart protocols
  • Backup and disaster recovery runbooks with step-by-step instructions and RTO/RPO targets
  • System access provisioning and deprovisioning checklists
  • Incident response playbooks and escalation procedures
  • Network monitoring and alert response procedures
  • Database maintenance and patching schedules
  • Change management procedures with pre- and post-change verification steps
  • Access logs showing procedure distribution to personnel
  • Training records documenting staff acknowledgment of procedures
  • Version-controlled procedure repository with dated updates

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch centralizes, versions, and auto-distributes operating procedures to your entire team, tracks acknowledgment and training completion, and alerts you to outdated procedures—eliminating manual spreadsheets and proof-of-compliance headaches.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 5.1 — Policies for Information SecurityISO 27001 5.14 — Change ManagementISO 27001 5.23 — Information Security Incident ManagementISO 27001 6.1 — Information Security CompetenceISO 27001 7.2 — Competence Assessment and Training