Are standard operating procedures (SOPs) valued across industries?

1.9k views11 Comments

CISO in Software, 51 - 200 employees
Coming from biotech in pharma, everything we did had to be done according to standard operating procedures (SOPs). I couldn't build a system without having an SOP with the hardening guidelines and everything I had to do for that server, or the work stations. Everything had SOPs and change control, and it was all documented. Everything had a remediation or response plan. When I went into software, it was as if all those practices went out the window because people didn’t care about them. It's hard to walk into those companies and say, "Hey, we have to follow a process here." They're like, "Nope. We have to get this pumped out in two weeks and you're not going to slow us down." That's often the biggest challenge.
1 Reply
VP, Director of Cyber Incident Response in Finance (non-banking), 10,001+ employees

I can absolutely relate to your challenge because the financial sector is similar to the healthcare sector in that sense. There’s a huge difference between being in either of those industries and being in the tech sector when it comes to SOPs. When I first came to the bank, they said, "Here's your standard operating procedure for malware, for DDoS, for everything else." And I thought, "This is great. All I have to do is read all this and I'll know how everybody does their jobs." It was such a blessing, coming from the tech sector. When I first walked into my job, I had to interview the 30 other people on the team so that I knew what they did. It was kind of a painful process and it took me a while to read all that documentation, but you get there eventually.

VP, Director of Cyber Incident Response in Finance (non-banking), 10,001+ employees
We've acquired a number of small companies over the years for their technology, which is common. If you're a big company, you acquire smaller companies and you learn that they don't have an IT department or a security team. Johnny developer is his own administrator on his device or maybe in his department's network. There’s a lack of monitoring and structure, so I have to figure it all out once they’ve been acquired. They don't like you for it because you've taken away the privileges they've had thus far. They’ll point the finger at you saying, "You darn security politician. It's your fault that I can't do my job. It's your fault that my project's behind."
1 Reply
SVP in Finance (non-banking), 1,001 - 5,000 employees

Change is hard. No matter what the intentions are, change is hard and people don't like it. 

Chief Technology Officer in Media, 2 - 10 employees
I always try to follow and apply the standard operating procedures in our company. That's the basic thing everyone should adapt. Everything stage of development need SOPs. Its easy for startups like us to form them and implement but as we gradually grow it will be hard to amend the changes in SOPs.
Director Of Technology in Education, 51 - 200 employees
As a K-12 school we have other mechanisms (syllabus, policies, procedures, guidelines) but are not usually ones to value Standard Operating Procedures (SOPs).    SOPs seem a bit inflexible and leave little discretion.  We do value SOPs for things such as COVID-19 protocols, IT onboarding and HR processes but not for education per se.  Teaching and learning doesn't always align itself to a SOP.
CIO in Construction, 1,001 - 5,000 employees
Yes, SOPs (Standard Operating Procedures) are valued across industries. I am associated with four different industry verticals in my current work assignment. We have developed SOPs for most of the processes. In construction Hospitality and Facility management, we have SOPs for all major activities/process. SOPs help in making the process independant of the employees, helps in training as new appointees will have all the required information to work easily available in one place. SOPs make operations simpler and easy to review/diagnose.
Director of Information Technology and Information Security in Healthcare and Biotech, 10,001+ employees
SOPs are a must for the certification journey, aiming at better collaboration and narrowing the communication gap between IT and business, maturing in IT & IS management, and ultimately yielding to increased revenue.
CIO in Finance (non-banking), 10,001+ employees
We leveraged SOP's to help with sharing of data across legal affiliates as a governance/audit tool.  Ex -The SOP would dictate the stakeholders as well as the process and controls that governed when data was being shared between affiliates.  The SOP defines what data was being shared, for what purpose and what the permissible uses, who was able to access, what access controls were in place, the process for sharing the data, as well as how data was to be returned or deleted upon the end of the service agreement.  This created awareness and accountability to the senders and receivers to ensure others were not able to access or use the shared data outside of the SOP defined case. SOP signed by both parties acted as a contract that was reviewed annually to ensure compliance.
Rural Health VP, Information Services in Healthcare and Biotech, 10,001+ employees
Yes very important especially in Healthcare
CTO in Education, 1,001 - 5,000 employees
Definitely yes, especially in large scale industries. without SOPs everyone will do what they think is right from their point of view and this will always conflict with the company's vision and the way of handling things. in my opinion - All companies even small to medium scale companies should implement SOPs on the first year of business, SOPs must be well documented/updated and handed to every new recruit from day one.
Based on my experience with my current employer and since we were late in establishing SOP's for every department, we had many interdepartmental conflicts and resistance to any new changes in policy.

Content you might like

Important solution for today’s way of working52%

Interesting idea to explore for 202242%

Not necessary6%


979 views1 Upvote1 Comment

Just before the renewal5%

A few days in advance35%

A few weeks in advance27%

A few months in advance30%

A few years or more in advance1%


4.5k views2 Upvotes2 Comments

Director Of Information Technology in Manufacturing, 501 - 1,000 employees
Following - interested in this question also.

4.5k views6 Upvotes1 Comment