Examples of Procedures


Examples of (General) Management System (MS) Procedures


Procedure MS-1 - Control of Documents

Procedure MS-2 - Control of Records

Procedure MS-3 - Internal Audit

Procedure MS-4 - Response to Non-Conformity or Incident (including Corrective Action)

Procedure MS-5 - Management Review - NO EXAMPLE; SEE THE NOTE BELOW.

Procedure MS-6 - Preventive Action [Implements requirements in ISO 41001:2018, Section 10.3 and ISO 55001:2014, Section 10.2]


NOTE

There is no explicit requirement to have any of the above procedures but it is useful to implement them anyway, particularly if your management system must be certified against two or more management system standards. Additionally, internal audits can be done against the procedures, rather than against the standard(s).

Procedure MS-5 - Management Review must be customised, according to the nature and operation of your business, and according to which standards your management system must be certified.


Examples of (General) Business Management (BM) Procedures


Procedure BM-1 - Starting and Finishing a Role

Procedure BM-2 - Internal and External Communications - NO EXAMPLE; SEE THE NOTE BELOW.


NOTE

There is no explicit requirement to have the above two procedures but it is useful to implement them anyway, particularly if your management system must be certified against two or more management system standards. Additionally, internal audits can be done against the procedures, rather than against the standard(s).

Procedure BM-2 - Internal and External Communications must be customised, according to the nature and operation of your business, and according to which standards your management system must be certified.


Examples of Information Security (IS) Procedures


Procedure IS-1 - Information Security Basics

Procedure IS-2 - Working in Secure Areas

Procedure IS-3 - Network Management

Procedure IS-4 - Mobile Computing

Procedure IS-5 - Backups

Procedure IS-6 - Access Control and Rights Review

Procedure IS-7 - Intellectual Property

Procedure IS-8 - Manage Provider

Procedure IS-9 - Change Control - NO EXAMPLE; SEE THE NOTE BELOW.


NOTE

Procedure IS-9 - Change Control implements ISO 27001, Control A.12.1.2 - Change management. This particular control does not itself specify a requirement for a procedure. However, it is the second of four controls of the group A.12.1 - Operational procedures and responsibilities. The first control of this group is A.12.1.1 - Documented operating procedures, which specifies “Operating procedures shall be documented and made available to all users who need them”. Consequently, it is a good idea to implement A.12.1.2 as (part of) a procedure.

Procedure IS-9 - Change Control must be customised, according to the nature and operation of your business.


Examples of Data Protection (DP) Procedures


COMING SOON ---> Procedure DP-1 - Data Protection Impact Assessment (DPIA)

COMING SOON ---> Procedure DP-2 - Data Subject Access Request (DSAR)

COMING SOON ---> Procedure DP-3 - Notification of Rights and Processing