OPS-01.1: Standardized Operating Procedures (SOP)
Mechanisms exist to identify and document Standardized Operating Procedures (SOP), or similar documentation, to enable the proper execution of day-to-day / assigned tasks.
Control Question: Does the organization identify and document Standardized Operating Procedures (SOP), or similar documentation, to enable the proper execution of day-to-day / assigned tasks?
General (37)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.2 CC5.1 CC5.3 CC5.3-POF3 CC7.2-POF1 |
| BSI Standard 200-1 | 4.2 |
| COBIT 2019 | APO01.09 DSS01.01 |
| COSO 2017 | Principle 10 Principle 12 Principle 14 |
| IMO Maritime Cyber Risk Management | 3.6 |
| ISO 22301 2019 | 8.1 8.4.2.1 8.4.2.2 8.4.2.3 8.4.2.4 8.4.5 |
| ISO 27001 2022 (source) | 8.1 |
| ISO 27002 2022 | 5.37 |
| ISO 27017 2015 | 7.2.2 12.1.1 CLD.12.1.5 |
| ISO 27701 2025 | 8.1 |
| ISO 42001 2023 | 7.5.1 7.5.1(a) 7.5.1(b) 7.5.2 7.5.3 7.5.3(a) 7.5.3(b) A.6.2.7 A.6.2.8 |
| MPA Content Security Program 5.1 | OR-1.0 OR-3.0 OP-2.0 PS-2.0 TS-1.5 TS-2.4 TS-2.6 TS-2.8 TS-2.11 TS-3.0 |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 1.0 GOVERN 1.2 GOVERN 1.3 GOVERN 1.4 GOVERN 3.2 GOVERN 4.1 GOVERN 5.1 GOVERN 6.0 GOVERN 6.1 MAP 3.5 |
| NIST AI 600-1 | GOVERN 1.2 GOVERN 1.3 GV-1.5-002 |
| NIST Privacy Framework 1.0 | GV.MT-P3 GV.MT-P4 GV.MT-P5 GV.MT-P6 GV.MT-P7 CT.PO-P1 CT.PO-P2 CT.PO-P3 CM.PO-P1 CM.AW-P1 |
| NIST 800-53 R5 (source) | SA-8(32) |
| NIST 800-53 R5 (NOC) (source) | SA-8(32) |
| NIST 800-160 | 3.4.12 |
| NIST 800-171 R3 (source) | 03.15.01.a |
| NIST 800-171A R3 (source) | A.03.15.01.a[03] A.03.15.01.a[04] A.03.15.01.b[01] A.03.15.01.b[02] |
| NIST 800-218 | PO.3.2 PO.4.2 |
| NIST CSF 2.0 (source) | ID.IM |
| PCI DSS 4.0.1 (source) | 1.1.1 2.1.1 3.1.1 3.7 3.7.1 3.7.2 3.7.3 3.7.5 3.7.6 3.7.7 3.7.8 4.1.1 5.1.1 6.1.1 6.5.1 7.1.1 8.1.1 8.3.8 9.1.1 9.3.2 10.1.1 11.1.1 |
| PCI DSS 4.0.1 SAQ A (source) | 3.1.1 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 1.1.1 2.1.1 3.1.1 4.1.1 5.1.1 6.1.1 6.5.1 8.1.1 8.3.8 |
| PCI DSS 4.0.1 SAQ B (source) | 3.1.1 |
| PCI DSS 4.0.1 SAQ B-IP (source) | 3.1.1 8.1.1 9.1.1 |
| PCI DSS 4.0.1 SAQ C (source) | 2.1.1 3.1.1 5.1.1 6.5.1 8.1.1 8.3.8 9.1.1 10.1.1 |
| PCI DSS 4.0.1 SAQ C-VT (source) | 2.1.1 3.1.1 8.1.1 9.1.1 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 1.1.1 2.1.1 3.1.1 3.7.1 3.7.2 3.7.3 3.7.5 3.7.6 3.7.7 3.7.8 4.1.1 5.1.1 6.1.1 6.5.1 7.1.1 8.1.1 8.3.8 9.1.1 9.3.2 10.1.1 11.1.1 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 1.1.1 2.1.1 3.1.1 3.7.1 3.7.2 3.7.3 3.7.5 3.7.6 3.7.7 3.7.8 4.1.1 5.1.1 6.1.1 6.5.1 7.1.1 8.1.1 8.3.8 9.1.1 9.3.2 10.1.1 11.1.1 |
| PCI DSS 4.0.1 SAQ P2PE (source) | 3.1.1 9.1.1 |
| TISAX ISA 6 | 9.8.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | OPS-01.1 |
| SCF CORE ESP Level 1 Foundational | OPS-01.1 |
| SCF CORE ESP Level 2 Critical Infrastructure | OPS-01.1 |
| SCF CORE ESP Level 3 Advanced Threats | OPS-01.1 |
US (19)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ASSET-4.C.MIL2 ASSET-5.A.MIL2 THREAT-3.A.MIL2 RISK-5.A.MIL2 ACCESS-4.A.MIL2 SITUATION-4.A.MIL2 RESPONSE-5.A.MIL2 THIRD-PARTIES-3.A.MIL2 WORKFORCE-4.A.MIL2 ARCHITECTURE-5.A.MIL2 PROGRAM-3.A.MIL2 |
| US CERT RMM 1.2 | GG2.GP2 GG2.GP4 GG3.GP1 OPD:SG1.SP4 OPD:SG1.SP5 OPD:SG1.SP6 OPF:SG3.SP1 OPF:SG3.SP2 OPF:SG3.SP4 |
| US Data Privacy Framework (DPF) | II.7.a.ii |
| US DoD Zero Trust Execution Roadmap | 6.7.1 |
| US DFARS Cybersecurity 252.204-70xx | 252.204-7008 252.204-7012 |
| US DHS ZTCF | SEC-03 |
| US FDA 21 CFR Part 11 | 11.10 11.10(f) 11.10(k) 11.10(k)(1) 11.10(k)(2) |
| US GLBA CFR 314 2023 (source) | 314.4(c)(7) 314.4(c)(8) 314.4(e) |
| US HIPAA Administrative Simplification 2013 (source) | 164.310(b) 164.316(b)(2)(ii) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.310(b) 164.316(b)(2)(ii) |
| US HIPAA HICP Small Practice | 4.S.B |
| US HIPAA HICP Medium Practice | 8.M.A |
| US HIPAA HICP Large Practice | 8.M.A 8.L.A |
| US IRS 1075 | 2.C.2 |
| US NERC CIP 2024 (source) | CIP-006-6 1.1 |
| US SSA EIESR 8.0 | 5.2 |
| US TSA / DHS 1580/82-2022-01 | III.D |
| US - NV NOGE Reg 5 | 5.260.6 |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.2(b)(2) 500.3 500.8(a) |
EMEA (10)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.4.2.(31) 3.4.2(31)(a) 3.4.2(31)(b) 3.4.2(31)(c) 3.4.2(31)(d) 3.4.2(31)(e) 3.4.2(31)(f) 3.4.2(31)(g) 3.4.5(38) 3.5(50) |
| EMEA EU DORA | 6.2 9.2 9.4(e) |
| EMEA EU NIS2 Annex | 7.1 9.1 |
| EMEA Germany C5 2020 | SP-01 IDM-02 |
| EMEA Israel CDMO 1.0 | 12.2 12.3 18.2 22.2 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-2-1 |
| EMEA Spain BOE-A-2022-7191 | 13.2(d) 13.4 22.2 |
| EMEA Spain 311/2022 | 13.2(d) 13.4 22.2 |
| EMEA Spain CCN-STIC 825 | 6.3 [ORG.3] |
| EMEA UK DEFSTAN 05-138 | 1100 2100 2101 |
APAC (6)
| Framework | Mapping Values |
|---|---|
| APAC China Privacy Law | 51 51(1) 51(2) 51(3) 51(4) 51(5) 51(6) |
| APAC India SEBI CSCRF | PR.AA.S14 PR.IP.S7 RC.RP.S4 |
| APAC Japan ISMAP | 4.5.4 4.5.4.1 4.5.4.2 4.5.4.3 4.5.4.4 4.8 7.2.2.19.PB 12.1.1 12.1.5.P |
| APAC New Zealand HISF 2022 | HSUP01 |
| APAC New Zealand HISF Suppliers 2023 | HSUP01 |
| APAC New Zealand NZISM 3.6 | 3.4.12.C.01 3.4.12.C.02 5.1.11.C.01 5.1.13.C.01 5.5.3.C.01 5.5.4.C.01 5.5.5.C.01 5.5.6.C.01 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 2.2.1 2.8 3 |
| Americas Canada ITSP-10-171 | 03.15.01.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to identify and document Standardized Operating Procedures (SOP), or similar documentation, to enable the proper execution of day-to-day / assigned tasks.
Level 1 — Performed Informally
Security Operations (OPS) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Cybersecurity operations are decentralized.
- The responsibility for developing and operating cybersecurity and data privacy procedures are up to the business process owner(s) to determine, including the definition and enforcement of roles and responsibilities.
Level 2 — Planned & Tracked
Security operations (OPS) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Security operations management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for security operations.
- Administrative processes focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
- Critical business functions are documented in “run books” or Standardized Operating Procedures (SOPs) to capture operational knowledge in documentation form.
Level 3 — Well Defined
Security Operations (OPS) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- A Security Operations Center (SOC), or similar function, manages cybersecurity operations that covers preparation, detection and analysis, containment, eradication and recovery.
- Procedures are standardized across the enterprise to ensure uniformity and consistent execution. These Standardized Operating Procedures (SOP) identify and document day-to-day procedures to enable the proper execution of assigned tasks.
- Line of Business (LOB) stakeholders are identified and tasked with documenting business-critical functions in “run books,” or SOPs, to capture the knowledge in documentation form from both a business and technology perspective.
Level 4 — Quantitatively Controlled
Security Operations (OPS) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to identify and document Standardized Operating Procedures (SOP), or similar documentation, to enable the proper execution of day-to-day / assigned tasks.
Assessment Objectives
- OPS-01.1_A01 procedures needed to satisfy the security requirements for the protection of sensitive / regulated data are developed and documented.
- OPS-01.1_A02 procedures needed to satisfy the security requirements for the protection of sensitive / regulated data are disseminated to organizational personnel or roles.
- OPS-01.1_A03 the current cybersecurity / data privacy procedures are reviewed / updated frequently.
- OPS-01.1_A04 the current cybersecurity / data privacy procedures are reviewed / updated following events.
- OPS-01.1_A05 personnel or roles to whom cybersecurity / data privacy procedures are to be disseminated is/are defined.
- OPS-01.1_A06 events that would require procedures to be reviewed / updated are defined.
- OPS-01.1_A07 systems or system components that implement the security design principle of sufficient documentation are defined.
- OPS-01.1_A08 systems or system components implement the security design principle of sufficient documentation.
- OPS-01.1_A09 policies and procedures are reviewed per an organization-defined frequency.
- OPS-01.1_A10 policies and procedures are updated per an organization-defined frequency.
- OPS-01.1_A11 procedures needed to satisfy the security requirements for the protection of CUI are developed and documented.
- OPS-01.1_A12 procedures needed to satisfy the security requirements for the protection of CUI are disseminated to organizational personnel or roles.
- OPS-01.1_A13 policies and procedures are reviewed <A.03.15.01.ODP[01]: frequency>.
- OPS-01.1_A14 policies and procedures are updated <A.03.15.01.ODP[01]: frequency>.
Evidence Requirements
- E-GOV-11 Cybersecurity & Data Protection Procedures
-
Documented evidence of an appropriate appropriately-scoped cybersecurity & data protection procedures. Procedures are a documented set of steps necessary to perform a specific task or process in conformance with an applicable standard. Procedures help address the question of how the organization actually operationalizes a policy, standard or control. The result of a procedure is intended to satisfy a specific control. Procedures are also commonly referred to as “control activities.”
Cybersecurity & Data Protection Management
Technology Recommendations
Micro/Small
- Documented Standardized Operating Procedures (SOP)
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)
Small
- Documented Standardized Operating Procedures (SOP)
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)
Medium
- Documented Standardized Operating Procedures (SOP)
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)
Large
- Documented Standardized Operating Procedures (SOP)
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)
Enterprise
- Documented Standardized Operating Procedures (SOP)
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP)