Skip to content



What Is The Purpose of ISO 27001:2022 Annex A 5.37?

ISO 27001:2022 Annex A 5.37 describes information security as an operational activity, with its constituent elements being carried out and/or managed by individuals.

Annex A 5.37 outlines the operational procedures for maintaining an organisation’s information security facility per its documented needs to ensure it remains efficient and secure.

Who Has Ownership of Annex A 5.37?

Annex A 5.37 covers various circumstances that may involve multiple departments and job roles. Having said that, it is safe to assume that most of the procedures will affect ICT personnel, equipment and systems.

A senior management team member responsible for all ICT-related activities, such as the Head of IT, should be accountable for ownership of Annex A 5.37.




ISMS.online gives you an 81% Headstart from the moment you log on

ISO 27001 made easy

We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.




General Guidance on Annex A 5.37

Information security-related procedures should be developed based on five key operational considerations:

  1. Instances of an activity performed by one or more individuals in the same way.
  2. When an activity is performed infrequently.
  3. When there are procedures that are at risk of being forgotten.
  4. New activities that staff members are unfamiliar with and therefore have a higher risk.
  5. When responsibility for carrying out an activity is transferred to a different employee or group of employees.

Where these instances occur, operating procedures should clearly outline what should be done in these situations:

  • Individuals who are responsible – whether incumbents or new operators.
  • Guidelines for maintaining security during the installation and configuration of any related business systems.
  • Throughout the activity, how information is processed.
  • BUDR plans and implications in case of data loss or a disaster event (see Annex A 8.13).
  • There should be a link between dependencies and any other system, including scheduling.
  • There must be a clear procedure for dealing with “handling errors” or miscellaneous events that can occur (see Annex A 8.18).
  • There should be a complete list of personnel to contact in case of disruption, along with clear escalation procedures.
  • Operational guidelines for any relevant storage media associated with the activity (see Annex A 7.10 and Annex A 7.14).
  • In case of a system failure, how to reboot and recover.
  • Logging of audit trails, including system and event logs (see Annex A 8.15 and Annex A 8.17).
  • Observation systems for onsite activities that take place (see Annex A 7.4).
  • A robust monitoring system that caters to the operational capacity, performance potential, and security of the activity.
  • In order to maintain optimal performance levels, it is essential to know what should be done to maintain the activity.

The approaches above should be subject to periodic and/or ad-hoc reviews as and when required. All changes to the procedures should be ratified by Management promptly to safeguard all information security activities conducted within the organisation.




climbing

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.




What Are the Changes From ISO 27001:2013?

ISO 27001:2022 Annex A 5.37 replaces ISO 27001:2013 Annex A 12.1.1 (‘Documented Operating Procedures’).

ISO 27001:2022 Annex A 5.37 expands on ISO 27001:2013 Annex A 12.1.1 by offering a much broader set of circumstances that would warrant adherence to a documented procedure.

ISO 27001:2013 Annex A 12.1.1 outlines information processing activities such as computer start-up and shutdown, backup, equipment maintenance, and media handling. In contrast, ISO 27001:2022 Annex A 5.37 expands the scope of the control to generalised activities not limited to specific technical functions.

Aside from a few minor additions, such as categorising the individuals responsible for an activity, ISO 27001:2022 Annex A 5.37 contains the same general guidance points as ISO 27001:2013 Annex A 12.1.1

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Organisational Controls Annex A 5.1 Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational Controls Annex A 5.2 Annex A 6.1.1 Information Security Roles and Responsibilities
Organisational Controls Annex A 5.3 Annex A 6.1.2 Segregation of Duties
Organisational Controls Annex A 5.4 Annex A 7.2.1 Management Responsibilities
Organisational Controls Annex A 5.5 Annex A 6.1.3 Contact With Authorities
Organisational Controls Annex A 5.6 Annex A 6.1.4 Contact With Special Interest Groups
Organisational Controls Annex A 5.7 NEW Threat Intelligence
Organisational Controls Annex A 5.8 Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational Controls Annex A 5.9 Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational Controls Annex A 5.10 Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational Controls Annex A 5.11 Annex A 8.1.4 Return of Assets
Organisational Controls Annex A 5.12 Annex A 8.2.1 Classification of Information
Organisational Controls Annex A 5.13 Annex A 8.2.2 Labelling of Information
Organisational Controls Annex A 5.14 Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational Controls Annex A 5.15 Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational Controls Annex A 5.16 Annex A 9.2.1 Identity Management
Organisational Controls Annex A 5.17 Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational Controls Annex A 5.18 Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational Controls Annex A 5.19 Annex A 15.1.1 Information Security in Supplier Relationships
Organisational Controls Annex A 5.20 Annex A 15.1.2 Addressing Information Security Within Supplier Agreements
Organisational Controls Annex A 5.21 Annex A 15.1.3 Managing Information Security in the ICT Supply Chain
Organisational Controls Annex A 5.22 Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational Controls Annex A 5.23 NEW Information Security for Use of Cloud Services
Organisational Controls Annex A 5.24 Annex A 16.1.1 Information Security Incident Management Planning and Preparation
Organisational Controls Annex A 5.25 Annex A 16.1.4 Assessment and Decision on Information Security Events
Organisational Controls Annex A 5.26 Annex A 16.1.5 Response to Information Security Incidents
Organisational Controls Annex A 5.27 Annex A 16.1.6 Learning From Information Security Incidents
Organisational Controls Annex A 5.28 Annex A 16.1.7 Collection of Evidence
Organisational Controls Annex A 5.29 Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational Controls Annex A 5.30 NEW ICT Readiness for Business Continuity
Organisational Controls Annex A 5.31 Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational Controls Annex A 5.32 Annex A 18.1.2 Intellectual Property Rights
Organisational Controls Annex A 5.33 Annex A 18.1.3 Protection of Records
Organisational Controls Annex A 5.34 Annex A 18.1.4 Privacy and Protection of PII
Organisational Controls Annex A 5.35 Annex A 18.2.1 Independent Review of Information Security
Organisational Controls Annex A 5.36 Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational Controls Annex A 5.37 Annex A 12.1.1 Documented Operating Procedures
ISO 27001:2022 People Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
People Controls Annex A 6.1 Annex A 7.1.1 Screening
People Controls Annex A 6.2 Annex A 7.1.2 Terms and Conditions of Employment
People Controls Annex A 6.3 Annex A 7.2.2 Information Security Awareness, Education and Training
People Controls Annex A 6.4 Annex A 7.2.3 Disciplinary Process
People Controls Annex A 6.5 Annex A 7.3.1 Responsibilities After Termination or Change of Employment
People Controls Annex A 6.6 Annex A 13.2.4 Confidentiality or Non-Disclosure Agreements
People Controls Annex A 6.7 Annex A 6.2.2 Remote Working
People Controls Annex A 6.8 Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting
ISO 27001:2022 Physical Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Physical Controls Annex A 7.1 Annex A 11.1.1 Physical Security Perimeters
Physical Controls Annex A 7.2 Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical Controls Annex A 7.3 Annex A 11.1.3 Securing Offices, Rooms and Facilities
Physical Controls Annex A 7.4 NEW Physical Security Monitoring
Physical Controls Annex A 7.5 Annex A 11.1.4 Protecting Against Physical and Environmental Threats
Physical Controls Annex A 7.6 Annex A 11.1.5 Working In Secure Areas
Physical Controls Annex A 7.7 Annex A 11.2.9 Clear Desk and Clear Screen
Physical Controls Annex A 7.8 Annex A 11.2.1 Equipment Siting and Protection
Physical Controls Annex A 7.9 Annex A 11.2.6 Security of Assets Off-Premises
Physical Controls Annex A 7.10 Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical Controls Annex A 7.11 Annex A 11.2.2 Supporting Utilities
Physical Controls Annex A 7.12 Annex A 11.2.3 Cabling Security
Physical Controls Annex A 7.13 Annex A 11.2.4 Equipment Maintenance
Physical Controls Annex A 7.14 Annex A 11.2.7 Secure Disposal or Re-Use of Equipment
ISO 27001:2022 Technological Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Technological Controls Annex A 8.1 Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological Controls Annex A 8.2 Annex A 9.2.3 Privileged Access Rights
Technological Controls Annex A 8.3 Annex A 9.4.1 Information Access Restriction
Technological Controls Annex A 8.4 Annex A 9.4.5 Access to Source Code
Technological Controls Annex A 8.5 Annex A 9.4.2 Secure Authentication
Technological Controls Annex A 8.6 Annex A 12.1.3 Capacity Management
Technological Controls Annex A 8.7 Annex A 12.2.1 Protection Against Malware
Technological Controls Annex A 8.8 Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological Controls Annex A 8.9 NEW Configuration Management
Technological Controls Annex A 8.10 NEW Information Deletion
Technological Controls Annex A 8.11 NEW Data Masking
Technological Controls Annex A 8.12 NEW Data Leakage Prevention
Technological Controls Annex A 8.13 Annex A 12.3.1 Information Backup
Technological Controls Annex A 8.14 Annex A 17.2.1 Redundancy of Information Processing Facilities
Technological Controls Annex A 8.15 Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological Controls Annex A 8.16 NEW Monitoring Activities
Technological Controls Annex A 8.17 Annex A 12.4.4 Clock Synchronization
Technological Controls Annex A 8.18 Annex A 9.4.4 Use of Privileged Utility ProgramsAccess Rights
Technological Controls Annex A 8.19 Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological Controls Annex A 8.20 Annex A 13.1.1 Networks Security
Technological Controls Annex A 8.21 Annex A 13.1.2 Security of Network Services
Technological Controls Annex A 8.22 Annex A 13.1.3 Segregation of Networks
Technological Controls Annex A 8.23 NEW Web filtering
Technological Controls Annex A 8.24 Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological Controls Annex A 8.25 Annex A 14.2.1 Secure Development Life Cycle
Technological Controls Annex A 8.26 Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological Controls Annex A 8.27 Annex A 14.2.5 Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents
Technological Controls Annex A 8.28 NEW Secure Coding
Technological Controls Annex A 8.29 Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological Controls Annex A 8.30 Annex A 14.2.7 Outsourced Development
Technological Controls Annex A 8.31 Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological Controls Annex A 8.32 Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological Controls Annex A 8.33 Annex A 14.3.1 Test Information
Technological Controls Annex A 8.34 Annex A 12.7.1 Protection of Information Systems During Audit Testing




[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]


How ISMS.online Help

ISO 27001:2022 implementation is simplified with our step-by-step checklist that guides you through all phases, from defining the scope of your ISMS to identifying risks and implementing controls.

Benefits of ISMS.online include:

  • Compliance can be demonstrated through the completion of tasks and the submission of evidence.
  • Monitoring compliance progress and delegating responsibilities is easy.
  • Time and effort are saved throughout the risk assessment process with the extensive risk assessment toolset.
  • We have a dedicated team of consultants throughout your compliance journey available to help.

Get in touch today to book a short 30-minute demo.


Toby Cane

Partner Customer Success Manager

Toby Cane is the Senior Partner Success Manager for ISMS.online. He has worked for the company for close to 4 years and has performed a range of roles, including hosting their webinars. Prior to working in SaaS, Toby was a Secondary School teacher.

ISO 27001:2022 Annex A Controls

Organisational Controls