Overview
ISO 27001 Control A.5.37 requires that operating procedures for information processing facilities are documented and made available to personnel who need them. Without documented SOPs, organisations rely on tribal knowledge — leading to inconsistent execution, security gaps, and audit findings.
This skill bridges the gap between high-level policies and day-to-day operations by producing step-by-step procedures with traceability to Annex A controls. A coverage analyzer maps your Statement of Applicability to operational areas and identifies which controls still need SOPs, while a completeness checker validates that each SOP has all required sections.
For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the ISO 27001 ISMS workspace tutorial .
What It Covers
- SOP index — master registry mapping each procedure to related Annex A controls, owner, and review frequency
- Individual SOPs — step-by-step procedures covering purpose, scope, responsible person, prerequisites, procedure steps, frequency, tools, rollback/escalation, and management approval
- Coverage analysis — maps SoA applicable controls to 15+ operational areas (backup, access provisioning, vulnerability scanning, incident response, change deployment, key management, physical access, media disposal, and more)
- Completeness validation — checks 11 required fields per SOP including management approval per A.5.37
- Document control — ensures each SOP meets Clause 7.5 requirements (unique ID, version, effective date, author)
Example Conversation
You: We need to create SOPs for our security operations. We’re a SaaS company running on GCP. Which operations need documented procedures based on our SoA?
Agent: Let me load your Statement of Applicability and run the sop_coverage_analyzer to identify which operational areas need SOPs.
Based on 78 applicable controls in your SoA, the analyzer identified 12 operational areas that need documented procedures:
Operational Area Related Controls Priority Backup & Restore A.8.13 High Access Provisioning & De-provisioning A.5.15, A.5.18 High Vulnerability Scanning & Patching A.8.8 High Incident Response Steps A.5.24, A.5.26 High Change Deployment A.8.32, A.8.9 High Key & Certificate Management A.8.24 Medium Log Review & Monitoring A.8.15, A.8.16 Medium Physical Access Management A.7.1, A.7.2 Medium Media Handling & Disposal A.7.14, A.8.10 Medium System Startup & Recovery A.8.13, A.5.29 Medium Supplier Access Review A.5.19, A.5.22 Low Data Centre & Facilities A.7.5, A.7.12 Low Let me start with the highest-priority SOPs. I’ll create each one with all required sections and validate them.
You: Start with backup and access provisioning.
Agent: I’ve drafted SOP-001-Backup-Restore and SOP-002-Access-Provisioning. Let me validate each.
Running sop_completeness_checker on SOP-001…
RESULT: PASS — 11/11 checks passed. Purpose, scope, responsible person, prerequisites, numbered steps, frequency, tools, rollback, version header, management approval, and related controls all present.
Running sop_completeness_checker on SOP-002…
RESULT: PASS — 11/11 checks passed.
Both SOPs have been added to the index. Running sop_coverage_analyzer again — 2 of 12 areas now covered. 10 remaining gaps to address.
Sample Output Excerpt
Below is a representative excerpt from a generated SOP showing the structure and level of detail expected.
SOP-001 — Backup & Restore Procedure (excerpt)
| Field | Value |
|---|---|
| SOP ID | SOP-001 |
| Title | Backup & Restore Procedure |
| Version | 1.0 |
| Effective Date | 2026-03-15 |
| Owner | João Silva — CTO |
| Approved By | Maria Santos — CISO |
| Related Controls | A.8.13 (Information backup) |
| Frequency | Daily (automated) / Monthly (verification) |
1. Purpose
Define the procedures for backing up and restoring information systems and data within the ISMS scope to ensure data availability and integrity per Control A.8.13.
2. Scope
Covers all production databases (Cloud SQL), application data (Cloud Storage), GKE cluster configurations, and secrets (Secret Manager) within the CloudSync platform.
3. Procedure
| Step | Action | Expected Outcome | Responsible |
|---|---|---|---|
| 1 | Verify automated backup schedule is active in GCP Console → Cloud SQL → Backups | Backup schedule shows daily at 02:00 UTC with 30-day retention | Platform Engineer |
| 2 | Confirm Cloud Storage object versioning is enabled for all production buckets | Versioning status shows “Enabled” for each bucket | Platform Engineer |
| 3 | Run monthly backup verification: restore latest Cloud SQL backup to staging environment | Staging database accessible with data matching production (spot-check 5 tables) | Platform Engineer |
| 4 | Document restoration test results in the backup verification log | Log entry with date, backup ID, restore duration, validation result | Platform Engineer |
| 5 | If restoration fails: escalate to CTO within 1 hour, open incident per PROC-003 | Incident ticket created, root cause investigation started | Platform Engineer → CTO |
4. Rollback / Escalation
- If automated backups fail for >24 hours: trigger alert via Cloud Monitoring, escalate to on-call engineer
- If restoration test fails: escalate to CTO, initiate root cause analysis, do not mark monthly verification as complete
Extension Tools
sop_completeness_checker
Validates each SOP against 11 required sections:
| # | Check | What It Looks For |
|---|---|---|
| 1 | Purpose statement | Section declaring the procedure’s objective |
| 2 | Scope definition | What systems, processes, or areas are covered |
| 3 | Responsible person/role | Named individual or role accountable for execution |
| 4 | Prerequisites | Preconditions, required access, or setup steps |
| 5 | Step-by-step procedure | Numbered steps with actionable instructions |
| 6 | Frequency/schedule | How often the procedure is performed |
| 7 | Tools/systems | Software, platforms, or equipment referenced |
| 8 | Rollback/escalation | What to do if the procedure fails |
| 9 | Version control header | Document ID, version, date, and author per Clause 7.5 |
| 10 | Management approval | Approved By field — mandatory per A.5.37 and ISO 27002 §5.37 |
| 11 | Related controls | Reference to Annex A controls the SOP implements |
sop_coverage_analyzer
Maps applicable controls to operational areas and identifies gaps:
- SoA integration: reads the Statement of Applicability to scope coverage to your organisation’s applicable controls
- 15+ operational areas: backup, access provisioning, vulnerability scanning, incident response, change deployment, key management, log review, physical access, media disposal, system startup/recovery, data centre/facilities, and more
- Gap detection: identifies controls that should have SOPs but don’t, with suggested SOP topics
- Coverage percentage: reports overall and per-area coverage against applicable controls
Getting Started
Activate the ISO 27001 Operating Procedures (SOPs) skill. If you’ve completed the Statement of Applicability skill, load it — the coverage analyzer uses your SoA to scope which operational areas need SOPs.
Have this information ready:
- Your Statement of Applicability (which Annex A controls are applicable)
- Key operational processes (backup schedules, access provisioning workflows, incident response steps)
- Tools and systems used for each operation (cloud console, CI/CD pipeline, monitoring tools)
- Who is responsible for each operational area
- Current frequency of each operation
The agent identifies coverage gaps, creates an SOP index, drafts individual procedures with step-by-step instructions, and validates each one for completeness before finalizing.