Control 5.37 : Documented Operating Procedures

Summary

Operating procedures for information processing facilities should be documented and made available to personnel who need them. This ensures consistency and reduces the risk of human error in critical technical tasks.

Applicability

In-Scope: Mandatory for all organizations to ensure business continuity and technical reliability. It is essential for training new staff and maintaining standards during complex security operations.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Knowledge Base: Use Microsoft SharePoint or Microsoft Teams to host a Technical Standard Operating Procedure (SOP) library with restricted access.

• Version Control: Utilize SharePoint's built-in versioning to ensure that technical teams are always following the most recently approved version of a procedure.

• Automation as Documentation: Use Microsoft Sentinel Playbooks or Azure Logic Apps to codify procedures, ensuring that the documented steps are executed automatically and consistently.

Evidence Checklist

• Standard Operating Procedures (SOPs): A collection of documented steps for tasks like system backups, user onboarding, and patching.

• Document Review Logs: Evidence that technical procedures are reviewed and updated at least annually.

• Training Records: Records showing that technical staff have been briefed on the specific operating procedures they are responsible for.

Practical Audit Advice

Here are some questions the auditor might ask:

• If your lead administrator were unavailable, are your documented procedures detailed enough for another specialist to maintain critical systems?

• How do you ensure that outdated versions of procedures are removed from the environment?

• Can you provide the SOP for a recent critical change made to the Microsoft 365 tenant configuration?

• How is the effectiveness of these procedures reviewed to ensure they still reflect the actual technical steps being taken?