Monday, June 3, 2019

How to Write a Procedure

Before we get into the "how" of procedures, let's review the "why".  Robust procedures allow an organization to deliver its products / services faster, with better quality and less expensively. Specifically, procedures:

  • Provide users with the necessary support on how to use security controls
  • Drive process improvements by uncovering gaps, 
  • Improve consistency in operations, 
  • Reduce errors and omissions, 
  • Support business continuity and 
  • Accelerate the on-boarding of newly hired or transferred personnel.   

To help you build a procedure culture at your organization:

  1. Be a role model - There are many security procedures that InfoSec owns and use those to provide examples to your colleagues. 
  2. Get executive management support -  Present the business benefits of procedures and find case studies of companies in your sector that use procedures effectively. This can be broader than InfoSec. Add procedure metric to your InfoSec scorecard. 
  3. Use your organization's work queue management process such as SCRUM backlog to elevate procedure writing activities.
  4. Train key personnel in various departments on how to write good procedures. They can be your champion. 
  5. Hire a facilitator to help to guide procedure planning sessions and wordsmith SME first drafts.



Here is the template that will help you define a procedure. Please note that a single control may have multiple procedures as the control may have different implementation procedures depending on technology and organization. 

Verbiage in brackets [  ] and italicized are instructions and examples on how to complete the template.

You should delete all verbiage in brackets [  ] once you have completed your specific procedure.

Purpose of Defining Standard Operating Procedures

The purpose of documenting a procedure is to provide detailed instructions on how to perform a set of tasks. Well written procedures:

  •   Ensure consistency among team members which reduces errors and omissions.
  • Expedite onboarding of new and temporary resources
  • Capture institutional knowledge, which is critical in small organizations which  may have single subject matter experts for many topics
  • Support business continuity
  • Satisfy the organization’s policies, third party contracts and regulations

Just as importantly, the process of reviewing and documenting a procedure often highlights process improvements that enhance customer service and reduce costs.

Scope of Template

This template is intended for all operational procedures that any department creates. All information security and compliance related procedures must use this template.

Instructions for the Author who will complete the template

1. Please complete all sections of the template following additional instructions embedded in each section of the template.

       TIP: You may want to have a working session with other team members to work out the process before documenting.

      2. Once written, please forward your draft to your manager and colleagues for review. Expect that there will be revisions.

TIP:  A good way to ensure that the procedure is complete is to use it on a trial basis for a short period and note differences in practice.

      3. Once you are satisfied with your procedure, forward all procedures that support information security and compliance to Information Security who will provide feedback. For new procedures and significant updates, this review is often an iterative process 

      4. Once Information Security has signed off, ask your Department Leader to review and provisionally approve. If your Department Leader has changes, please follow Steps 1 – 4. 

      5. Once approved, update the effective date and review date and ask Information Security and Department Leader to sign using the organization’s standard method to ensure that interested parties such as employees and auditors know that the procedure has been approved. Forward the signed procedure to Information Security.

       6. Once signed, publish to your departmental repository.

      7. Add a reminder to your departmental calendar to review the procedure a few weeks before the annual review date.

      8. Review the new procedure and significant updates with team members at regular or special meeting.

     9. If it is a new procedure or significant update to an existing procedure, then check in with process participants for feedback after a few weeks. Revise as needed following steps 2 – 8.

      10. Annually, review the procedure. There may be a change to the organization’s policy or the operating environment that warrants an update to the procedure.

·         If updates are required then follow steps 1 – 9.

·        If no updates to the procedure then add that review was completed and rationale to the Document History section and follow steps 3 –7.


Please provide your feedback on how to improve this template and its instructions. ]



Title of Document

 [Procedure Template – Use organization’s naming standard]


Owner of Document (Department & Role)

[Template Owner: Information Security / CIO

Please update to add who owns your procedure and avoid specific persons in case their role changes.]

Effective Date

[Procedure Template: Date

Once approved and published]

Date for next review

[Procedure Template: Date;

No longer than 1 year until next review]

Approved by (Name, Department, Title)

[Procedure Template]

Policy or other Procedure References

[Procedure template: Governance Policy.

 List all Policies that the procedure supports]


[Instructions: Briefly describe the procedure’s business objectives and rationale. This may include service level goals if appropriate.

Example: The purpose of the mail room procedure is to ensure

·        Timely processing of mail (mail processed within 1 business day)  

·        Secure processing of mail (reduce the risk of lost, stolen or inappropriate viewing)

·        Because customer insurance applications, complaints, customer requests and critical third party notices may be received by mail.] 


[Instructions: Define what functions or assets are covered by the procedure. It is also helpful to describe what is not covered (what is out-of-scope). As you develop your detailed procedure the scope section may need revision.

Example: In-scope: USPS, third party carriers, hand delivered external documents, internal mail

Out-of-scope: Package handling will be covered in the next iteration of this procedure.]

Roles and Responsibilities

Role (job function)







[Instructions: List all roles who will participate in the process and a summary of their responsibility for this procedure.  Remember to update this section after you have defined your detailed procedure to ensure all participants are included.]

Detailed Procedure

[Instructions: The steps you document should provide sufficient detail to guide a person newly assigned to perform the procedure without supervision. As an expert it will be tedious to put in all the little details a new person may need but it is critical to achieve success. Remember to define for each task:

·        Who will perform the task

·        When will the person perform the task (specific time, frequency)

·        Where will the person perform the task

·        What tools will be used

·        How to perform the task: Remember to include hand-offs and deliverables as needed


Process Flow Diagram


[Instructions: Insert a diagram showing high level process flow diagram. Label to be consistent with the procedure steps outlined in the previous section.

A swim-lane diagram where many different departments participate is often helpful. ]

Document History

Activity (Author, Reviewer, Approver)


Who (Name, Title, Department) – List All







[Instructions: Capture document activities here. Include who authored including revisions, who reviewed and who approved. Please include Name, Title, Department and Date.]





No comments:

Post a Comment