Examples of Procedures

Examples of (General) Management System (MS) Procedures

Procedure MS-4 - Response to Non-Conformity or Incident (including Corrective Action)

Procedure MS-5 - Management Review - NO EXAMPLE; SEE THE NOTE BELOW.

Procedure MS-6 - Preventive Action [Implements requirements in ISO 41001:2018, Section 10.3 and ISO 55001:2014, Section 10.2]

NOTE

There is no explicit requirement to have any of the above procedures but it is useful to implement them anyway, particularly if your management system must be certified against two or more management system standards. Additionally, internal audits can be done against the procedures, rather than against the standard(s).

Procedure MS-5 - Management Review must be customised, according to the nature and operation of your business, and according to which standards your management system must be certified.

Examples of (General) Business Management (BM) Procedures

Procedure BM-1 - Starting and Finishing a Role

Procedure BM-2 - Internal and External Communications - NO EXAMPLE; SEE THE NOTE BELOW.

NOTE

There is no explicit requirement to have the above two procedures but it is useful to implement them anyway, particularly if your management system must be certified against two or more management system standards. Additionally, internal audits can be done against the procedures, rather than against the standard(s).

Procedure BM-2 - Internal and External Communications must be customised, according to the nature and operation of your business, and according to which standards your management system must be certified.

Examples of Information Security (IS) Procedures

Procedure IS-1 - Information Security Basics

Procedure IS-2 - Working in Secure Areas

Procedure IS-3 - Network Management

Procedure IS-4 - Mobile Computing

Procedure IS-5 - Backups

Procedure IS-6 - Access Control and Rights Review

Procedure IS-7 - Intellectual Property

Procedure IS-8 - Manage Provider

Procedure IS-9 - Change Control - NO EXAMPLE; SEE THE NOTE BELOW.

NOTE

Procedure IS-9 - Change Control implements ISO/IEC 27001:2013, Control A.12.1.2 - Change management. This particular control does not itself specify a requirement for a procedure. However, it is the second of four controls of the group A.12.1 - Operational procedures and responsibilities. The first control of this group is A.12.1.1 - Documented operating procedures, which specifies “Operating procedures shall be documented and made available to all users who need them”. Consequently, it is a good idea to implement A.12.1.2 as (part of) a procedure.

Procedure IS-9 - Change Control must be customised, according to the nature and operation of your business.

Examples of Data Protection (DP) Procedures

COMING SOON ---> Procedure DP-1 - Data Protection Impact Assessment (DPIA)

COMING SOON ---> Procedure DP-2 - Data Subject Access Request (DSAR)

COMING SOON ---> Procedure DP-3 - Notification of Rights and Processing