Examples of Procedures
Examples of (general) Management System (MS) Procedures
Procedure MS-1 - Control of Documents
Procedure MS-2 - Control of Records
Procedure MS-3 - Internal Audit
Procedure MS-4 - Response to Non-Conformity or Incident (including Corrective Action)
Procedure MS-5 - Management Review - NO EXAMPLE; SEE THE NOTE BELOW.
Procedure MS-6 - Preventive Action [Implements requirements in ISO 41001:2018, Section
10.3 and ISO 55001:2014, Section 10.2]
NOTE
There is no explicit requirement to have any of the above procedures but it is useful
to implement them anyway, particularly if your management system must be certified
against two or more management system standards. Additionally, internal audits can
be done against the procedures, rather than against the standard(s).
Unlike many of the example procedures here, Procedure MS-5 - Management Review will
be customised, according to the nature and operation of your business, and according
to which standards your management system must be certified.
Examples of (general) Business Management (BM) Procedures
Procedure BM-1 - Starting and Finishing a Role
Procedure BM-2 - Internal and External Communications - NO EXAMPLE; SEE THE NOTE
BELOW.
NOTE
There is no explicit requirement to have the above two procedures but it is useful
to implement them anyway, particularly if your management system must be certified
against two or more management system standards. Additionally, internal audits can
be done against the procedures, rather than against the standard(s).
Unlike many of the example procedures here, Procedure BM-2 - Internal and External
Communications will be customised, according to the nature and operation of your
business, and according to which standards your management system must be certified.
Examples of Information Security (IS) Procedures
Procedure IS-1 - Information Security Basics
Procedure IS-2 - Working in Secure Areas
Procedure IS-3 - Network Management
Procedure IS-4 - Mobile Computing
Procedure IS-5 - Backups
Procedure IS-6 - Access Control and Rights Review
Procedure IS-7 - Intellectual Property
Procedure IS-8 - Manage Provider
Procedure IS-9 - Change Control - NO EXAMPLE; SEE THE NOTE BELOW.
NOTE
Procedure IS-9 - Change Control implements ISO 27001, Control A.12.1.2 - Change management.
This particular control does not itself specify a requirement for a procedure. However,
it is the second of four controls of the group A.12.1 - Operational procedures and
responsibilities. The first control of this group is A.12.1.1 - Documented operating
procedures, which specifies “Operating procedures shall be documented and made available
to all users who need them”. Consequently, it is a good idea to implement A.12.1.2
as (part of) a procedure.
Unlike many of the example procedures here, Procedure IS-9 - Change Control will
be customised, according to the nature and operation of your business.
Examples of Data Protection (DP) Procedures
Procedure DP-1 - Data Protection Impact Assessment (DPIA) - COMING SOON
Procedure DP-2 - Data Subject Access Request (DSAR) - COMING SOON
Procedure DP-3 - Notification of Rights and Processing - COMING SOON