3.5 KiB
5.37 Documented operating procedures
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Protect #Recover | #Asset_management #Physical_security #System_and_network_security #Application_security #Secure_configuration #Identity_and_access_management #Threat_and_vulnerability_management #Continuity #Information_security_event_management | #Governance_and_Ecosystem #Protection #Defence |
Control Operating procedures for information processing facilities should be documented and made available to personnel who need them.
Purpose To ensure the correct and secure operation of information processing facilities.
Guidance Documented procedures should be prepared for the organization’s operational activities associated with information security, for example:
a) when the activity needs to be performed in the same way by many people;
b) when the activity is performed rarely and when next performed the procedure is likely to have been forgotten;
c) when the activity is new and presents a risk if not performed correctly;
d) prior to handing over the activity to new personnel.
The operating procedures should specify:
a) the responsible individuals;
b) the secure installation and configuration of systems;
c) processing and handling of information, both automated and manual;
d) backup (see 8.13) and resilience;
e) scheduling requirements, including interdependencies with other systems;
f) instructions for handling errors or other exceptional conditions [e.g. restrictions on the use of utility programs (see 8.18)], which can arise during job execution;
g) support and escalation contacts including external support contacts in the event of unexpected operational or technical difficulties;
h) storage media handling instructions (see 7.10, 7.14);
i) system restart and recovery procedures for use in the event of system failure;
j) the management of audit trail and system log information (see 8.15, 8.17) and video monitoring systems (see 7.4);
k) monitoring procedures such as capacity, performance and security (see 8.6, 8.16);
l) maintenance instructions.
Documented operating procedures should be reviewed and updated when needed. Changes to documented operating procedures should be authorized. Where technically feasible, information systems should be managed consistently, using the same procedures, tools and utilities.
Other information No other information.