SOP Examples: 10 Real-World Cases Across IT And Business

3. IT Change Management SOP

Purpose: Ensure all changes to IT infrastructure, systems, or services are evaluated, approved, and implemented with minimal disruption to operations.

Scope: All standard, normal, and emergency changes. Applies to IT operations, infrastructure, and development teams.

Roles: Change requester, Change Advisory Board (CAB), change manager, IT operations.

Procedure:

1. Change request submission: The requester submits a change request with description, justification, risk assessment, rollback plan, and proposed implementation window.
2. Classification: Change manager classifies the change as standard (pre-approved), normal (requires CAB review), or emergency (expedited).
3. Risk assessment: For normal changes, CAB reviews the potential impact, rollback feasibility, and timing relative to other changes and business events.
4. Approval: CAB approves, rejects, or requests modification. Standard changes proceed automatically. Emergency changes follow the expedited approval path.
5. Implementation: Change is implemented during the approved window. The requester updates the ticket with implementation progress notes.
6. Post-implementation review: Within 48 hours of implementation, the requester confirms success or failure. If failed: rollback is initiated and an incident is raised.
7. Closure: Change ticket is closed with outcome notes, duration, and any follow-up actions.

Escalation rules: Failed changes that impact production services immediately trigger the incident management SOP in parallel with rollback execution.

4. Incident Management SOP

Purpose: Restore normal service operation as quickly as possible following an unplanned interruption or degradation of service, minimizing business impact and meeting agreed SLA targets.

Scope: All incidents affecting IT services, reported through any channel (self-service portal, email, phone, or monitoring alerts). Applies to the service desk and all specialist support teams.

Roles: End user/requester, service desk (L1), specialist support teams (L2/L3), incident manager, major incident manager.

Procedure:

• Logging and identification: The incident is logged with a description, affected service or CI, time of occurrence, and reporting channel. Tickets auto-generated from monitoring are enriched with user-reported context where available.
• Categorization and prioritization: The service desk categorizes the incident and sets priority using the impact × urgency matrix, which determines the applicable SLA.
• Initial diagnosis: L1 attempts resolution using the knowledge base and known error database. If resolved, the ticket is documented and closed.
• Escalation: If L1 cannot resolve within the functional escalation threshold, the incident is routed to the appropriate L2/L3 team. Hierarchic escalation to the incident manager occurs when an SLA breach is imminent.
• Major incident handling: Incidents meeting major incident criteria (e.g., P1, multiple critical services down) trigger the major incident process: a major incident manager is assigned, a bridge is opened, and stakeholders receive regular communications.
• Resolution and recovery: The resolving team applies a fix or workaround, confirms service restoration with the user or via monitoring, and records the resolution.
• Closure: The ticket is closed after user confirmation or within the auto-close window. Resolution notes, final category, and any new known error are documented for future reference.

Escalation rules: Imminent SLA breach triggers hierarchic escalation to the incident manager. If root cause remains unknown after resolution, a problem record is raised. Recurring incidents are linked to the existing problem record.

5. Patch Management SOP

Purpose: Maintain the security and stability of IT systems by identifying, testing, approving, and deploying patches in a controlled and timely manner.

Scope: Operating systems, firmware, applications, and infrastructure components across servers, endpoints, and network devices. Covers routine, out-of-band, and emergency security patches.

Roles: Patch manager, system administrators, security team, asset owners, change manager.

Procedure:

• Patch identification: Patch sources (vendor advisories, monitoring tools, vulnerability scanners) are monitored continuously. New patches are catalogued against affected CIs in the CMDB.
• Risk and severity assessment: Each patch is assessed for criticality (CVSS score, exploit availability, asset exposure) and assigned a deployment timeline accordingly.
• Testing: Patches are deployed to a representative test or pilot group. Functionality and compatibility are validated before broad release.
• Approval: Standard patch cycles follow pre-approved change windows. Emergency or high-risk patches require change manager or CAB approval via the change management SOP.
• Deployment: Patches are rolled out in phased waves (pilot → broad → remaining) within the agreed maintenance window. Deployment status is tracked per device.
• Verification: After deployment, patch compliance is confirmed via scanning. Failed or pending devices are flagged for remediation.
• Reporting and closure: Compliance reports are generated, exceptions documented, and the patch cycle closed. Outstanding non-compliant assets are tracked to resolution.

Escalation rules: Critical vulnerabilities with active exploits bypass the standard cycle and follow the emergency patch path with expedited approval. Patches that fail in production trigger rollback and the incident management SOP.

6. User provisioning and deprovisioning SOP

Purpose: Ensure user accounts and access are granted and revoked accurately and promptly across the user lifecycle, upholding security and least-privilege principles.

Scope: All user accounts (employees, contractors, service accounts) across directory services, applications, and systems. Covers joiners, movers, and leavers.

Roles: HR, hiring manager, IT service desk, identity/access administrator, application/system owners.

Procedure:

• Request initiation: HR or the hiring manager submits a provisioning request specifying role, department, start date, and required access. Deprovisioning is triggered by an HR offboarding notification.
• Role-based access assignment: Access is mapped to a predefined role profile (RBAC) to ensure consistent, least-privilege entitlements. Exceptions require approval from the relevant system owner.
• Account creation: The identity administrator creates the account in the directory and provisions entitlements to mapped applications, using automated provisioning where integrated.
• Verification: New access is validated against the role profile. The user and manager confirm access on or before the start date.
• Movers (role change): On a role change, prior entitlements are revoked and new ones provisioned to prevent privilege creep.
• Deprovisioning: On the leaver's effective date, accounts are disabled, sessions terminated, and entitlements revoked. Mailboxes and data are handled per the retention policy.
• Closure and audit trail: All actions are logged against the request ticket, providing an auditable record of who approved and provisioned each entitlement.

Escalation rules: Deprovisioning of privileged or terminated-for-cause accounts is treated as urgent and actioned immediately in coordination with security. Delays past the effective date are escalated to the IT and security managers.

7. Hardware asset lifecycle SOP

Purpose: Manage IT hardware assets through their full lifecycle — from procurement to disposal — to optimize utilization, control cost, and maintain accurate inventory.

Scope: All physical IT hardware (laptops, desktops, servers, mobile devices, peripherals, network equipment). Covers procurement, deployment, maintenance, and retirement.

Roles: Asset manager, procurement, IT operations, end users, finance, asset owners.

Procedure:

• Procurement and receipt: Approved hardware requests are procured. On receipt, assets are tagged and recorded in the asset management system with model, serial number, purchase date, warranty, and cost.
• Deployment: The asset is assigned to a user or location, its status updated to "in use," and its relationships recorded (user, CI). Configuration and imaging are completed before handover.
• In-use management: Assets are tracked for location, assignment, warranty, and maintenance. Warranty and lease expirations are monitored proactively.
• Maintenance and repair: Faults are logged and repairs handled in or out of warranty as applicable. Asset status reflects "in repair" during downtime.
• Reassignment: Returned assets are wiped, re-imaged, and either redeployed or moved to stock, with records updated to reflect the change in custody.
• Retirement decision: At end of useful life or lease end, the asset manager evaluates retirement based on age, condition, performance, and support status.
• Disposal: Retired assets undergo secure data destruction (per the data sanitization policy), and disposal is recorded with certificates of destruction. Status is set to "retired/disposed" and the asset is removed from active inventory.

Escalation rules: Lost, stolen, or unaccounted-for assets are escalated to security immediately and logged as incidents, particularly where data exposure is possible. Lease-end deadlines at risk of being missed are escalated to procurement and finance.

8. Employee onboarding SOP

Purpose: Deliver a consistent, timely onboarding experience that equips new employees with the access, equipment, and information needed to be productive from day one.

Scope: All new hires (full-time, part-time, contractors), from offer acceptance through the end of the first week. Coordinates HR, IT, and facilities tasks.

Roles: HR, hiring manager, IT service desk, facilities, onboarding buddy/mentor.

Procedure:

• Onboarding trigger: HR initiates onboarding upon offer acceptance, submitting new-hire details, role, start date, and location to the relevant teams via a service request.
• Pre-arrival provisioning: IT provisions accounts and access per the provisioning SOP, prepares hardware per the hardware lifecycle SOP, and facilities arranges workspace and physical access.
• Readiness verification: All accounts, equipment, and access are verified ready before the start date. The hiring manager confirms readiness.
• Day-one setup: The new hire receives credentials, equipment, and a welcome/orientation guide. IT confirms successful login and access to core systems.
• Orientation and training: HR delivers policy and compliance orientation; the manager assigns role-specific training and introduces the onboarding buddy.
• First-week check-in: IT and the manager confirm there are no outstanding access or equipment issues. Any gaps are resolved through the service desk.
• Completion: The onboarding request is closed once all tasks are confirmed complete, with a record of provisioned access and assets retained for audit.

Escalation rules: Provisioning not completed before the start date is escalated to the IT service desk lead and hiring manager to prevent day-one productivity loss. Mandatory compliance training not completed within the required window is escalated to HR.

Recommended reading

How to Build a Flawless Onboarding Workflow [+Free Template]

Read Article

9. Vendor Management SOP

Purpose: Govern relationships with IT vendors to ensure they deliver agreed value, meet contractual and service obligations, and remain compliant with security and risk requirements.

Scope: All third-party IT vendors and service providers, including software, hardware, and managed service suppliers. Covers onboarding, performance management, and offboarding.

Roles: Vendor manager, procurement, contract/legal, security/risk, business/service owner, finance.

Procedure:

• Vendor onboarding: New vendors undergo due diligence — security assessment, financial stability, and compliance review — before contracting. Approved vendors are added to the vendor register.
• Contract and SLA definition: Contracts define deliverables, SLAs, pricing, data handling, and exit terms. Key dates (renewal, review) are recorded and tracked.
• Operational onboarding: Vendor contacts, escalation paths, and support entitlements are documented and made available to the relevant teams.
• Performance monitoring: Vendor performance is reviewed against SLAs and KPIs at agreed intervals. Service issues are logged and tracked to resolution.
• Periodic review: Scheduled business reviews assess delivery, risk, cost, and relationship health. Findings inform renewal or replacement decisions.
• Risk and compliance reassessment: Security and compliance posture is reassessed periodically and on any material change (e.g., breach, ownership change).
• Offboarding: On contract termination, access is revoked, data is returned or destroyed per contract, and the vendor record is closed with lessons learned captured.

Escalation rules: SLA breaches or critical security findings are escalated to the vendor manager and, where contractual remedies apply, to legal and procurement. Vendor security incidents affecting organizational systems or data trigger the incident management SOP in parallel.

10. SaaS procurement SOP

Purpose: Ensure SaaS applications are acquired through a controlled process that validates business need, security, compliance, and cost before purchase, avoiding redundancy and shadow IT.

Scope: All new SaaS subscriptions and renewals, including departmental and individual purchases. Covers request, evaluation, approval, and onboarding into the SaaS inventory.

Roles: Requester, IT/SaaS manager, security/compliance, procurement, finance, budget owner.

Procedure:

• Request submission: The requester submits a SaaS request with business justification, expected number of users, data types handled, and estimated cost.
• Duplication check: IT checks the existing SaaS inventory for overlapping tools to avoid redundant spend and consolidate where possible.
• Security and compliance review: Security assesses the vendor (data residency, certifications, integrations, SSO support). Compliance confirms data handling meets regulatory requirements.
• Cost and budget approval: Procurement validates pricing and contract terms; the budget owner approves the spend.
• Contracting: Procurement finalizes the agreement, ensuring SLA, data protection, and exit terms are in place.
• Provisioning and integration: The tool is configured (ideally with SSO and centralized provisioning) and added to the SaaS inventory with owner, renewal date, license count, and cost.
• License optimization: Usage is monitored after deployment to right-size licenses and identify inactive accounts ahead of renewal.

Escalation rules: Requests involving sensitive or regulated data that fail security or compliance review are escalated to the security and compliance leads before any procurement proceeds. Shadow-IT SaaS discovered outside this process is escalated to IT for retroactive review and remediation.