Documentation requirements

1. How does ISO 27001 define an SOP? Is it methods of installation and setup?

Answer: ISO 27001 main clauses do not prescribe Standard operating procedures (SOPs), only that some types of information must be documented and managed (e.g., ISMS scope, Information Security Policy, Information Security Risk Assessment and Treatment processes, etc.), but the implementation of some controls from ISO 27001 Annex A may require the documentation of methods of installation and setup.

These materials will provide you further information:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

2 - Do I need to do an SOP for every application we use here at XXX?

Answer: You only need to develop a document related to ISO 27001 if:
- it is required by th e main clauses of the standard
- it is a part of the implementation of controls identified as applicable in your Statement of Applicability
- it is required by top management

So, if none of the above conditions happen, you do not have to develop a SOP.

This article will provide you further information:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

By the way, all the needed documents for implementing ISO 27001 are included in the toolkit, and that in the List of documents file included in the toolkit you can see which document is mandatory.

>1 - One of the mandatory documents in the list in the toolkit is “Operating Procedures for IT Management”, is this not the same as an SOP?

Answer: I'm assuming you are referring to the "Security Procedures for IT Department" template, located on folder 08 Annex A Security Controls ==> A.12 Operations Security

Considering that, you can call this document a SOP, because it defines activities and responsibilities to ensure correct and secure functioning of information and communication technology.

>2 - Sorry if I may have missed your point but does this mean that an Operating Procedure is only required for specific controls within our ISMS, such as backup procedures and SIEM tools etc?

Answer: Your understanding is correct. Documents such as policies and procedures are required only when related controls identified as applicable in your Statement of Applicability demand documentation. Examples are controls A.9.1.1 Access control policy, and A.12.1.1 Documented operating procedures. Regarding backup, control A.12.3.1 Information backup does not require procedures to be documented, only that backup copies are taken and tested regularly (in this case documentation is more a question of good practice).