In ISO 27001 Annex A control 10.1.1 makes it a requirement to identify all necessary operating procedures at policy level and then document these operating procedure based on the current environment. All of these operating procedures should be under strict document control meaning these procedures should be reviewed and updated at regular intervals based on the organization risk acceptance level. Also if your organization already has ISO20000 then the ISO20000 document control procedures are applicable to ISO 27001.

In ISO 27002 recommendation suggest the detail these operating procedures should address. The detailed work instructions will be directly proportional to the size of the organization and complexity of the task. The rule of thumb is another trained staff should be able to follow the instruction without much assistance. Also these procedures should have an input from cross functional team especially from security staff and the staff operating these procedures. The procedures should take into consideration vendor user manual instructions for all basic functions of the operations. The organizations which may outsource their IT and Security services need to specify the documentation requirement based on ISO 27001/ ISO 9000 in their contract and the relevant documents should be audited on regular basis to keep their required ISO certification

Below are some of the operating procedures.

  • Backup and restore procedures.
  • Handling of information based on the classification.
  • Contact list of all supporting staff including vendors to tackle unexpected events.
  • Detailed system restart and recovery procedures to tackle unexpected incidents