ISMS Directory
    A.5.37
    Organizational Controls

    Documented operating procedures

    Operating procedures for information processing facilities should be documented and made available to personnel who need them.

    Purpose

    To ensure correct and secure operation of information processing facilities.

    Implementation Guidance

    Document all critical operating procedures

    Keep procedures up to date with system changes

    Make procedures easily accessible to authorized personnel

    Include security considerations in all procedures

    Review and update procedures regularly

    Recommended Tools

    Notion

    All-in-one workspace for documentation, policies, and knowledge management. Perfect for startups to manage all ISO 27001 documentation.

    Confluence

    Enterprise-grade documentation and collaboration platform by Atlassian. Integrates well with Jira for larger organizations.

    GitHub Wiki

    Simple wiki for technical documentation directly in your GitHub repository. Great for developer-focused teams.

    Google Docs

    Simple document collaboration tool that most teams already use. Good for basic policy management.

    ISMS Copilot

    AI-powered assistant for writing ISO 27001 policies, procedures, and support documents. Makes compliance documentation fast and easy.

    ISO 27001 Services from the Directory

    These providers can help you implement A.5.37 and achieve ISO 27001 certification.

    Advisera logo

    Advisera

    Provider of ISO 27001 documentation, training, and consultancy services to help businesses achieve compliance.

    Anecdotes logo

    Anecdotes

    Enterprise agentic GRC platform with 230+ integrations and 40+ pre-mapped frameworks for Fortune 500 compliance programs.

    Arrow Cyber Advisors logo

    Arrow Cyber Advisors

    Arrow Cyber Advisors enables organizations to build measurable cybersecurity maturity and resilience. We specialize in governance, risk and compliance advisory, providing clear security direction, maturity benchmarking, and execution support tailored to regulated and high-risk environments.

    Atoro logo

    Atoro

    Atoro offers specialized ISO 27001 certification services for SaaS companies, simplifying compliance with expert tools.

    AuditBoard logo

    AuditBoard

    Enterprise connected risk platform trusted by over 50% of the Fortune 500 for audit, risk, and compliance management.

    Bitsecura logo

    Bitsecura

    *** Helping Businesses Achieve Compliance & Certification Success *** Bitsecura is a IT governance, risk, and compliance (GRC) firm specialising in helping organisations protect their critical assets, navigate complex regulatory landscapes, and build sustainable cybersecurity frameworks. With over 20 years of industry experience, we offer strategic guidance, bespoke solutions, and operational support that align seamlessly with your business objectives. Our commitment to practical innovation and long-term partnerships ensures that working with Bitsecura not only strengthens your current security posture, but also builds a lasting foundation for future resilience.

    View all ISO 27001 services

    Related Controls

    Other controls in Organizational Controls

    A.5.1
    Policies for information security
    A.5.2
    Information security roles and responsibilities
    A.5.3
    Segregation of duties
    A.5.4
    Management responsibilities
    A.5.5
    Contact with authorities
    View all Organizational Controls

    Quick Links

    All 93 Controls ISO 27001 Services ISO 27001 Consultants
    By the team behind ISMS Directory

    Implementing A.5.37 for a client?

    ISMS Copilot drafts policies, evidence, and SoA wording for A.5.37 Documented operating procedures. Built for compliance professionals.

    Try ISMS Copilot free