Definition (EN)
A procedure is a documented set of steps that describes how a specific activity or process is to be performed.
Explanation (EN)
A procedure provides detailed instructions to ensure activities are carried out in a consistent, controlled, and repeatable manner.
Procedures translate policy requirements and control objectives into concrete actions and responsibilities.
They are typically role-specific, operational in nature, and support the effective implementation and monitoring of controls.
Procedures should be documented, communicated to relevant personnel, and reviewed regularly to ensure continued suitability and effectiveness.
Nederlandse term (NL)
Procedure
Definitie (NL)
Een procedure is een gedocumenteerde reeks stappen die beschrijft hoe een specifieke activiteit of proces moet worden uitgevoerd.
Toelichting (NL)
Een procedure bevat gedetailleerde instructies om activiteiten op een consistente, gecontroleerde en herhaalbare manier uit te voeren.
Procedures vertalen beleidsvereisten en beheersdoelstellingen naar concrete acties en verantwoordelijkheden.
Ze zijn doorgaans operationeel van aard, rolgebonden en ondersteunen de effectieve implementatie en opvolging van beheersmaatregelen.
Procedures moeten worden gedocumenteerd, gecommuniceerd aan relevante medewerkers en periodiek worden herzien om hun geschiktheid en doeltreffendheid te waarborgen.
Source
ISO/IEC 27001:2022 — Information security management systems — Requirements
ISO/IEC 27002:2022 — Information security controls
ISO 9000:2015 — Quality management systems — Fundamentals and vocabulary
Related terms
Policy
Control
Control objective
Evidence
Work instruction
Definition ComplianceForge Reference Model
Procedures are a documented set of steps necessary to perform a specific task or process in conformance with an applicable standard.
Procedures help address the question of how the organization actually operationalizes a Policy, Standard or Control.
Without documented procedures, there will be no defensible evidence of due care practices.
Procedures are generally the responsibility of the process owner / asset custodian to build and maintain, but are expected to include stakeholder oversight to ensure applicable compliance requirements are addressed.
The result of a procedure is intended to satisfy a specific Control.
Procedures are also commonly referred to as “control activities.”
