Documented Operating Procedures for Information Processing
Ensure procedures are written down and accessible to those who need them.
Plain language
Imagine running a business where no one knows exactly how to do their job because the instructions aren't written down. This control is basically saying: 'Let's not leave things to chance!' By documenting how information is processed, you ensure everyone knows what to do and how to do it, reducing mistakes and making sure everything runs smoothly.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Operating procedures for information processing facilities shall be documented and made available to personnel who need them.
Why it matters
Without documented operating procedures, staff run processing tasks inconsistently, increasing outages, data handling errors and inability to repeat or audit processing steps.
Operational notes
Maintain version-controlled operating procedures for each processing facility; assign owners, review after changes/incidents, and publish them where relevant staff can easily access.
Implementation tips
- The IT manager should take the lead in documenting procedures for all key information processing activities. They can start by listing frequent, rare, and new activities, ensuring every procedure is written down so it can be consistently followed.
- HR should ensure that new staff receive and understand these documented procedures as part of their onboarding process. This can be done by integrating these procedures into training sessions and making sure they're easily accessible.
- Department heads should be responsible for keeping procedure documents up-to-date and relevant. They can do this by regularly reviewing the procedures, especially after changes in systems or regulations, to ensure they remain accurate.
- An operations manager should oversee the secure handling and storage of these documents. This includes setting up a digital library that is backed up regularly, ensuring easy access for authorised personnel only, aligned with the ASD Essential Eight.
- The compliance officer should verify that procedures include specific details like handling errors and correct sequences of tasks. They can do this by cross-referencing the procedures with actual practices, ensuring compliance with the Australian Privacy Act 1988.
Audit / evidence tips
-
Askthe documented operating procedures for all key information processing activities
Gooda comprehensive set of current documents available to everyone who needs them
-
Askrecords of when procedures were last reviewed and updated
-
Askto see training records for new staff on these procedures
-
Askevidence of how exceptions or errors are handled following documented procedures
-
Askhow changes to procedures are communicated to staff
Cross-framework mappings
How Annex A 5.37 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| ISM-0206 | ISM-0206 requires documented and maintained cable labelling processes and supporting procedures | |
| ISM-0348 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and supporting procedures | |
| ISM-0372 | ISM-0372 mandates a specific operational safeguard for media disposal: two cleared personnel must supervise destruction of media holding ... | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0576 | Annex A 5.37 requires operational procedures for information processing to be documented and made available to relevant personnel | |
| ISM-0912 | Annex A 5.37 requires documented and accessible operating procedures for information processing facilities | |
| ISM-1602 | ISM-1602 requires cyber security documentation, including change notifications, to be communicated to stakeholders | |
| handshake Supports (10) expand_less | ||
| ISM-0041 | Annex A 5.37 requires operating procedures for information processing facilities to be documented and accessible to personnel who need them | |
| ISM-0042 | Annex A 5.37 requires operating procedures for information processing facilities to be documented and made available to personnel who nee... | |
| ISM-0362 | ISM-0362 enforces following manufacturer’s directions for degaussing magnetic media, whereas Annex A 5.37 calls for documented procedures... | |
| ISM-0499 | ISM-0499 requires compliance with ASD communications security doctrine and policy for HACE operations | |
| ISM-0888 | Annex A 5.37 requires operating procedures for information processing facilities to be documented and made available to personnel who nee... | |
| ISM-1359 | ISM-1359 requires an organisation to implement and maintain a removable media usage policy to control how removable media is used and han... | |
| ISM-1478 | ISM-1478 requires the CISO to oversee the cyber security program and ensure compliance with organisational and external cyber security re... | |
| ISM-1549 | ISM-1549 requires an organisation to develop, implement, and maintain a media management policy | |
| ISM-1551 | ISM-1551 requires an organisation to establish and maintain a policy for managing IT equipment | |
| ISM-1802 | ISM-1802 requires organisations to operate ASD-approved HACE in line with the latest ACSI, which implies disciplined, documented operatin... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.