The second maturity level, Procedure, reviews the existence of documented procedures or processes developed from the policies or standards to determine if they specify the procedures for applying the requirement statement evaluative elements to the scope of the assessment. Scoring is based upon whether the Assessed Entity’s procedures are not defined, undocumented, or documented for each of the corresponding requirement statement elements.
9.2.1 A formal, up to date (see Chapter 11.3 Working Papers & Evidence for evidence timeliness requirements), documented procedure will state how to implement the security controls identified by the defined policies.
9.2.2 A documented procedure must address the operational aspects of how to perform all evaluative elements in the requirement statement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement.
9.2.3 Procedures document the implementation of and the rigor in which the elements of the requirement are applied.
9.2.4 The identified procedure(s) must cover all facilities and operations and/or systems within scope of the assessment.
9.2.5 Undocumented procedures are those that are:
(i) Well-understood by those required to implement them and/ or adhere to them,
(ii) Consistently observed, and
(iii) Unwritten.
For additional information on assessing the appropriateness of procedures, see Appendix A-10: Policies & Procedures FAQs & Examples.