[Procedure Name]

[Procedure Name]

([PROCEDURE-ID])

1. Purpose

State the purpose of this procedure. This should explain what the procedure is intended to accomplish. For example: “The purpose of this procedure is to describe the process for requesting, establishing, and issuing access changes…”

2. Scope

Define who and what this procedure applies to. For example: “This procedure applies to all requests for access additions and changes for systems X, Y, and Z.”

3. Overview

Provide a brief, high-level summary of the procedure from start to finish. For example: “This procedure ensures timely action relating to requesting, establishing, and issuing access changes to Company business applications…”

4. Procedure

Provide the detailed, step-by-step instructions for carrying out the procedure. The table format is standard.

Step	Who	What
1	[e.g., Requestor]	[Describe the action to be taken in this step.]
2	[e.g., Manager]	[Describe the action to be taken in this step.]
3	[e.g., System Administrator]	[Describe the action to be taken in this step.]

5. Standards Compliance

This section maps the procedure steps to specific controls from relevant information security standards.

Procedure Step(s)	Standard/Framework	Control Reference
[e.g., 1-3]	[e.g., ISO/IEC 27001:2022]	[e.g., A.5.18]
[e.g., 3]	[e.g., PCI-DSS v4.0]	[e.g., Req. 7.2.2]

6. Artifact(s)

Describe the record or evidence that is created upon completion of the procedure. For example: “A completed and approved access request issue in the tracking system.”

7. Definitions

Define any specialized terms, acronyms, or phrases used in the procedure. If none, state “N/A”.

[Term 1]: [Definition of the term.]

[Term 2]: [Definition of the term.]

8. Responsibilities

Clearly assign responsibility for various aspects of the procedure.

Role	Responsibility
[Role Title]	[Describe the specific responsibilities for this role.]
[Role Title]	[Describe the specific responsibilities for this role.]