Which Compliance Frameworks Require Documented Procedures?

Almost every major information-security and data-privacy framework requires documented procedures. SOC 2, ISO/IEC 27001, HIPAA, PCI DSS, GDPR, and ISO/IEC 20000 all expect you to write down how you protect data and run your controls, then keep records that prove you actually followed what you wrote. The exact wording differs, but the shape of the requirement is the same across all of them: documented procedures plus evidence they were used.

This guide names each framework precisely, classifies it correctly (the difference between a certification, an attestation, and a regulation matters more than people think), and explains what documentation each one demands. If you are heading into an audit and want a straight answer to "which frameworks require SOPs," start here.

Key takeaways

• Documented procedures are a baseline expectation across SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and ISO 20000. None of them let you operate on undocumented, in-someone's-head process.
• These frameworks are not all the same kind of thing. ISO 27001 and ISO 20000 are certifications, SOC 2 is an attestation, and HIPAA and GDPR are laws. PCI DSS is a contractual standard.
• SOC 2 is an attestation, not a certification. There is no "SOC 2 certificate," you receive a CPA's report on your controls.
• The hard part is not writing the document. SOC 2 Type II and PCI DSS v4.0.1 specifically test that your procedures were followed over time, with records to prove it.
• "Say what you do, do what you say, prove it" is the through-line. Keep procedures current and capture evidence, or the audit fails no matter how good the paperwork looks.

Certification vs attestation vs regulation: why the label matters

Before the framework-by-framework breakdown, it helps to sort these into three buckets, because people use the word "certified" for all of them and it is often wrong. The distinction changes who judges you, what you walk away with, and what counts as passing.

A certification means an accredited third party audits you against a published standard and issues a certificate (ISO 27001, ISO 20000). An attestation means a licensed CPA examines your controls and issues a report stating their opinion, there is no certificate (SOC 2). A regulation is a law you must comply with whether or not anyone audits you, and you do not get "certified" in it (HIPAA, GDPR). PCI DSS is a fourth case: a standard you are contractually obligated to meet by the card brands, not a government law.

ISO/IEC 27001: documented information is built into the standard

ISO/IEC 27001:2022 is the international standard for an information security management system (ISMS), and it is a true certification: an accredited body audits you and issues a certificate. Documentation is not optional bolt-on, it is woven through the standard.

Clause 7.5, documented information, requires you to create, control, and keep up to date the documents your ISMS needs. On top of that, the 93 controls in Annex A include A.5.37, Documented operating procedures, which expects operating procedures for information processing to be written down and made available to the people who need them. In practice you cannot certify to ISO 27001 with undocumented security operations.

SOC 2: an attestation, not a certificate

SOC 2 is an AICPA attestation. A licensed CPA examines your controls and issues a report with their opinion. This is the single most misunderstood point in this whole space, so to be blunt: there is no such thing as a "SOC 2 certificate," and you are not "SOC 2 certified." You have a SOC 2 report. Saying it correctly is itself a small credibility signal in front of auditors and security-savvy customers.

SOC 2 is built on the Trust Services Criteria: Security (always in scope), plus Availability, Processing Integrity, Confidentiality, and Privacy as needed. To get a clean report you document the controls that meet those criteria. The catch is the report type. A Type I report covers whether your controls are suitably designed at a point in time. A Type II report covers whether they operated effectively over a period, usually three to twelve months. Type II is where documentation alone is not enough: the auditor samples evidence to confirm your procedures were actually followed throughout that window.

HIPAA: written policies and procedures are the law

HIPAA is a US regulation governing protected health information, and you do not get "certified" in it, you comply with it. Its Security Rule (45 CFR Part 164) is explicit about documentation. §164.316 requires covered entities and business associates to maintain written policies and procedures, to retain that documentation for six years from creation or last effective date, and to review and update it periodically as conditions change.

In other words, HIPAA does not just ask you to be secure, it asks you to write down how you are secure, keep those documents for years, and refresh them. Undocumented practice, however good, does not satisfy the rule.

GDPR: accountability means written, demonstrable procedures

GDPR is the EU's data-protection regulation, and like HIPAA it is a law, not a certification, so "GDPR certified" is not a real status (certification schemes under Art 42 exist but are not a general GDPR certificate). What GDPR demands is accountability: under Art 5(2) you must not only comply but be able to demonstrate it.

That demonstration is documentary. Art 24 expects appropriate data-protection policies. Art 30 requires a Record of Processing Activities (RoPA), a written inventory of what personal data you process and why. Articles 33 and 34 require procedures for detecting, documenting, and reporting personal-data breaches, including notifying the supervisory authority within 72 hours where required. If you cannot show the documents, you cannot show accountability.

PCI DSS: "documented and in use" on nearly every requirement

PCI DSS protects payment-card data. It is not a government law, it is a standard the card brands require you to meet by contract. The current version, PCI DSS v4.0.1, became fully mandatory on 31 March 2025, so the older v3.2.1 expectations no longer apply.

Documentation is everywhere in PCI DSS. Nearly every one of its 12 requirements carries a sub-requirement to maintain documented security policies and operational procedures that are kept current, in use, and known to all affected parties. v4.0 sharpened this: it is not enough to have a dusty policy binder, the procedures have to be actively used and demonstrably current. As with SOC 2 Type II, an assessor looks for evidence that the documented process is the process people actually follow.

ISO/IEC 20000 and business continuity

ISO/IEC 20000-1:2018 is the international standard for IT service management (ITSM), and it is a certification like ISO 27001. It expects documented procedures across the service-management lifecycle, including incident, problem, change, and release management. If your service desk and operations teams run on tribal knowledge, you cannot certify.

Worth a brief mention alongside it: ISO 22301, the standard for business continuity management, similarly requires documented plans and procedures so the organisation can keep operating through disruption. Same pattern, different domain.

The common thread: say what you do, do what you say, prove it

Read across all six frameworks and one principle repeats: say what you do, do what you say, prove it. Write the procedure (say what you do), follow it consistently (do what you say), and keep records that show you did (prove it). Auditors and regulators are testing all three, not just the first.

This is why SOC 2 Type II and PCI DSS v4.0.1 matter so much in practice. Both go beyond "is it written down" to "was it followed, over time, with evidence." A perfect policy that nobody uses fails a Type II examination just as surely as having no policy at all. The implication for teams is clear: the documentation has to be current, accessible, and tied to real records, not a one-time deliverable that rots in a shared drive.

That is exactly where keeping operational procedures captured and audit-ready pays off. sopmodo is built around capturing how work is actually done and turning it into a clear written procedure: someone records a walk-through of the real task, the AI drafts ordered steps, and a reviewer edits and exports the result as PDF or DOCX. sopmodo's core audience is shop-floor work, where manufacturing and regulated-production certifications drive the same documentation demands, but operational SOPs and procedures matter for any team facing an audit, and the same habit of capturing the real process and keeping it current is what these frameworks reward.

Frequently asked questions

The bottom line

If you handle data, run IT services, or process payments, documented procedures are not optional. SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and ISO 20000 each require written policies and procedures, and they classify differently: ISO 27001 and ISO 20000 are certifications, SOC 2 is an attestation with no certificate, and HIPAA and GDPR are laws, while PCI DSS is a contractual standard. The framework that trips teams up is the one they thought they understood, so get the labels right. Above all, remember the shape of every requirement: write the procedure, follow it, and keep the evidence. Say what you do, do what you say, prove it.