GOV-024 Documented Operating Procedures
Description
Operating procedures for critical information processing activities are documented, maintained, and made available to personnel who require them. Procedures are version-controlled, reviewed at defined intervals, and updated when processes change.
Rationale
Undocumented procedures cannot be consistently executed, audited, or transferred to new personnel. Documented procedures are the mechanism by which policies are operationalized.
Framework Mappings (3)
| GRC-03 | Organizational Policy Reviews | partial |
| 5.37 | Documented operating procedures | full |
| PL-2 | System Security and Privacy Plans | partial |
Evidence (2)
Operating procedures for critical information processing activities, version-controlled and reviewed at defined intervals.
Example: Set of operating procedures (Confluence runbooks or Google Drive SOPs) for at least five critical processes — e.g. access provisioning, patch management, incident response, backup and recovery, change management — each with: version number, last-reviewed date, named owner, and access control setting.
Test: Request the procedure index or list from the document management system. Select a sample of five procedures covering different security domains. For each, verify: (1) a current version number exists, (2) a last-reviewed or last-updated date is within the defined interval (typically 12 months), (3) a named owner is assigned, (4) the procedures are accessible to the personnel who need them.
Procedure review log showing each critical procedure has been reviewed and updated (or confirmed current) at the required interval.
Example: Procedure review log or version history (Confluence page history / document management system change log), showing review dates, reviewer names, and disposition (updated/confirmed current) for each procedure within the last 12 months.
Test: Export the revision history or review log for the procedure library. Verify: (1) all listed critical procedures have a review event within the defined interval, (2) the review records show a named reviewer, (3) procedures triggered by process changes (e.g. new system deployment) show an update date aligned to that change.
Questions (2)
Are operating procedures for critical information processing activities documented, version-controlled, and made available to the personnel who need them?
Each procedure should carry a version number, a named owner, and a last-reviewed date within the defined interval (typically 12 months).
Which of the following critical process areas have documented operating procedures that are actively maintained?
Select all that apply and be prepared to provide the procedure documents with version history. Fewer than three covered areas would be considered a material gap.