ISO/IEC 27001 Control 5.37: Documented operating procedures


Operating procedures for information processing facilities should be documented and made available to personnel who need them.

Necessity of MidPoint

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Implementation Overview

MidPoint has built-in documentation capabilities that assist in documenting operation procedures and responsibilities.

Implementation Details

MidPoint identity model provides capability to set business-oriented description for any object. This is especially useful for applications, application and business roles and other objects related to operational procedures. The description may be used to specify details about business and operational usage of the object. Moreover, midPoint integral documentation (midScribe) allows attaching configuration documentation to midPoint objects, assisting in system administration procedures. Support and escalation contacts in operational procedures may be specified using group or organizational membership, using midPoint organizational structure. This avoids a need to update operational procedures every time a person is reassigned. Roles and responsibilities regarding identity governance procedures can be specified using role governance mechanisms, e.g. using concept of role owner in operational procedures instead of using concrete person names.

Implementation Notes

  • The control mentions access to audit trail and system log information. Both mechanisms are available in midPoint.

Was this page helpful?
Thanks for your feedback