ISO 27001:2022 Annex A Control 5.37

General Guidance on Annex A 5.37

Information security-related procedures should be developed based on five key operational considerations:

1. Instances of an activity performed by one or more individuals in the same way.
2. When an activity is performed infrequently.
3. When there are procedures that are at risk of being forgotten.
4. New activities that staff members are unfamiliar with and therefore have a higher risk.
5. When responsibility for carrying out an activity is transferred to a different employee or group of employees.

Where these instances occur, operating procedures should clearly outline what should be done in these situations:

• Individuals who are responsible – whether incumbents or new operators.
• Guidelines for maintaining security during the installation and configuration of any related business systems.
• Throughout the activity, how information is processed.
• BUDR plans and implications in case of data loss or a disaster event (see Annex A 8.13).
• There should be a link between dependencies and any other system, including scheduling.
• There must be a clear procedure for dealing with “handling errors” or miscellaneous events that can occur (see Annex A 8.18).
• There should be a complete list of personnel to contact in case of disruption, along with clear escalation procedures.
• Operational guidelines for any relevant storage media associated with the activity (see Annex A 7.10 and Annex A 7.14).
• In case of a system failure, how to reboot and recover.
• Logging of audit trails, including system and event logs (see Annex A 8.15 and Annex A 8.17).
• Observation systems for onsite activities that take place (see Annex A 7.4).
• A robust monitoring system that caters to the operational capacity, performance potential, and security of the activity.
• In order to maintain optimal performance levels, it is essential to know what should be done to maintain the activity.

The approaches above should be subject to periodic and/or ad-hoc reviews as and when required. All changes to the procedures should be ratified by Management promptly to safeguard all information security activities conducted within the organisation.

What Are the Changes From ISO 27001:2013?

ISO 27001:2022 Annex A 5.37 replaces ISO 27001:2013 Annex A 12.1.1 (‘Documented Operating Procedures’).

ISO 27001:2022 Annex A 5.37 expands on ISO 27001:2013 Annex A 12.1.1 by offering a much broader set of circumstances that would warrant adherence to a documented procedure.

ISO 27001:2013 Annex A 12.1.1 outlines information processing activities such as computer start-up and shutdown, backup, equipment maintenance, and media handling. In contrast, ISO 27001:2022 Annex A 5.37 expands the scope of the control to generalised activities not limited to specific technical functions.

Aside from a few minor additions, such as categorising the individuals responsible for an activity, ISO 27001:2022 Annex A 5.37 contains the same general guidance points as ISO 27001:2013 Annex A 12.1.1

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

ISO 27001:2022 implementation is simplified with our step-by-step checklist that guides you through all phases, from defining the scope of your ISMS to identifying risks and implementing controls.

Benefits of ISMS.online include:

• Compliance can be demonstrated through the completion of tasks and the submission of evidence.
• Monitoring compliance progress and delegating responsibilities is easy.
• Time and effort are saved throughout the risk assessment process with the extensive risk assessment toolset.
• We have a dedicated team of consultants throughout your compliance journey available to help.

Get in touch today to book a short 30-minute demo.