This chapter covers Standard Operating Procedures (SOPs) — the documented, step-by-step instructions that govern how IT tasks are performed consistently and efficiently. For the CompTIA A+ 220-1102 exam, SOPs fall under Domain 4.0 (Operational Procedures), specifically Objective 4.1: 'Given a scenario, implement appropriate basic support concepts based on the following: ticketing systems, asset management, and standard operating procedures.' While SOPs are not tested as a separate heavy section, they appear in scenario-based questions about change management, incident response, and documentation. Expect 2-4 questions touching on SOPs, often integrated with ticketing systems and asset management.
Jump to a section
Think of a restaurant kitchen that serves hundreds of meals every night. Without a standardized recipe book, each chef would cook based on memory or personal preference, leading to inconsistent dishes — some burnt, some undercooked, some too salty. The recipe book is the Standard Operating Procedure (SOP). It specifies exact ingredients, measurements, cooking times, and plating instructions. When a new chef joins, they read the recipe book to learn how to prepare each dish exactly as expected. If a customer complains about a dish, the chef can refer to the recipe to verify they followed the correct process. The restaurant also has a procedure for handling food allergies: a specific form must be filled out, a manager must approve substitutions, and the allergy information is communicated to the kitchen team. This is like an IT SOP for handling security incidents — it defines who to contact, what data to collect, and what steps to take. Without these written procedures, the kitchen would be chaotic, dishes would vary wildly, and customer satisfaction would plummet. Similarly, in IT, SOPs ensure consistency, compliance, and efficiency across all operations, from password resets to disaster recovery.
What is a Standard Operating Procedure (SOP)?
A Standard Operating Procedure (SOP) is a documented set of step-by-step instructions that describe how to perform a routine IT task or handle a specific situation. The goal is to ensure consistency, quality, and compliance across an organization. In IT, SOPs cover tasks such as password resets, user onboarding/offboarding, software installation, backup verification, incident response, and hardware disposal.
Why SOPs Matter in IT
Without SOPs, IT support would be chaotic. Each technician might handle the same problem differently, leading to inconsistent outcomes, missed steps, and security gaps. SOPs provide: - Consistency: Every technician follows the same process, so results are predictable. - Efficiency: New hires can quickly learn standard tasks without shadowing for weeks. - Compliance: Many industries require documented procedures for audits (e.g., HIPAA, PCI-DSS, GDPR). - Accountability: If something goes wrong, the SOP can be reviewed to see if it was followed. - Continuous improvement: When a process fails, the SOP can be updated to prevent recurrence.
Key Components of an SOP
A well-written SOP includes: - Title and ID: Unique identifier (e.g., SOP-IT-001). - Purpose: Why this procedure exists. - Scope: Who it applies to (e.g., all IT staff, help desk level 1). - Prerequisites: Required tools, permissions, or knowledge. - Step-by-step instructions: Numbered actions in sequence. - Expected outcomes: What success looks like. - Troubleshooting: Common issues and how to resolve them. - References: Related documents (e.g., security policy, vendor manuals). - Revision history: Date, version, author, and changes made.
How SOPs Relate to Change Management
Change management is the process of controlling changes to IT infrastructure. SOPs are the detailed instructions for implementing approved changes. For example, a change request to upgrade a server's OS might reference an SOP that outlines: 1. Verify backup is current. 2. Download and verify OS image checksum. 3. Schedule maintenance window. 4. Apply update. 5. Run post-update tests. 6. Update asset management database.
Without an SOP, the change might be performed incorrectly, causing downtime or data loss.
SOPs and Ticketing Systems
Ticketing systems (like ServiceNow, Jira, or Zendesk) often enforce SOPs through workflow automation. For example, a password reset ticket might trigger an automated email to the user, then assign the task to a technician, who follows the SOP steps in the ticket. The ticketing system can require acknowledgment of each step, ensuring compliance. Common ticket fields include:
Category (e.g., Incident, Service Request)
Priority (based on impact and urgency)
Assignment group
Status (New, In Progress, Resolved, Closed)
Closure codes (e.g., Fixed, Duplicate, Not Reproducible)
SOPs in Asset Management
Asset management involves tracking hardware and software throughout their lifecycle. SOPs define how to:
Add new assets to the inventory database.
Assign assets to users.
Perform regular audits (e.g., quarterly physical inventory).
Decommission assets (wipe data, dispose of hardware).
Track software licenses and compliance.
For example, an SOP for laptop deployment might include: 1. Unbox laptop. 2. Verify serial number matches purchase order. 3. Install base image from network. 4. Join domain. 5. Install company-approved software. 6. Apply security patches. 7. Record asset tag in inventory system. 8. Deliver to user and obtain signature.
Incident Response SOPs
When a security incident occurs (e.g., malware infection, data breach), an SOP ensures a swift, coordinated response. A typical incident response SOP includes: - Identification: How to detect and report the incident (e.g., via SIEM alert or user report). - Containment: Isolate affected systems (disconnect from network, disable user account). - Eradication: Remove malware, rebuild system from clean backup. - Recovery: Restore services, monitor for recurrence. - Lessons learned: Document what happened, update SOPs to prevent future incidents.
Common SOPs Tested on 220-1102
The exam expects you to know the purpose and basic content of SOPs for: - Password reset: Verify user identity, reset password, enforce complexity, require change at next login. - User onboarding: Create account, assign permissions, provide equipment, schedule training. - User offboarding: Disable account, revoke access, collect equipment, wipe data, notify HR. - Data backup and recovery: Schedule backups, verify integrity, test restoration, store offsite. - Antivirus updates: Ensure definitions are current, scan schedule, handle detected threats. - Patch management: Test patches in staging, approve, deploy to production, verify.
Creating and Maintaining SOPs
SOPs should be: - Written clearly: Use simple language, avoid jargon unless defined. - Reviewed regularly: At least annually, or after major incidents. - Approved by management: To ensure alignment with business goals. - Accessible: Stored in a shared repository (e.g., SharePoint, wiki, ticketing system). - Version controlled: Track changes, keep historical versions.
The Role of SOPs in Compliance
Many regulations require documented procedures. For example: - HIPAA: Requires documented policies for protecting ePHI, including access controls and breach notification. - PCI-DSS: Requires documented procedures for cardholder data handling, security monitoring, and incident response. - GDPR: Requires procedures for data subject access requests, breach notification, and data deletion.
SOPs provide evidence that the organization has defined and implemented required controls. Auditors will request SOPs and verify they are being followed.
Common Mistakes in SOPs
Too vague: 'Back up the server' — what type? How often? Where?
Too detailed: 50 steps for a simple task.
Outdated: References old software versions or procedures.
Not followed: Technicians bypass SOPs because they are inconvenient or unknown.
No feedback loop: No way to suggest improvements.
Exam Tips for SOPs
Know the difference between a policy (high-level rules), a procedure (detailed steps), and a standard (required specifications).
Understand that SOPs are part of 'change management' and 'documentation'.
Be able to identify which SOP is appropriate for a given scenario.
Recognize that SOPs help with 'onboarding' new technicians.
Remember that SOPs must be updated when processes change.
Integration with Other Operational Procedures
SOPs are not isolated; they connect with: - Ticketing systems: Tickets reference SOPs; SOPs define ticket workflows. - Asset management: SOPs dictate how assets are tracked and handled. - Change management: SOPs are the detailed implementation plans for changes. - Security policies: SOPs enforce security controls (e.g., password length, account lockout). - Disaster recovery: SOPs outline steps to restore systems after a disaster.
Summary of Core Concepts
SOPs are step-by-step instructions for routine IT tasks.
They ensure consistency, efficiency, compliance, and accountability.
Key components include title, purpose, scope, steps, and revision history.
SOPs are used in change management, incident response, asset management, and ticketing.
They must be reviewed, updated, and accessible.
The 220-1102 exam tests your ability to apply SOPs in scenario-based questions.
Conclusion
Mastering SOPs is essential for any IT professional. They are the backbone of operational excellence. On the exam, focus on understanding when and why SOPs are used, and be able to identify the correct procedure for common tasks. Remember that SOPs are not just paperwork — they are practical tools that prevent errors and improve service quality.
Identify the Task or Process
The first step in creating an SOP is to clearly define the task that needs to be documented. This could be a recurring task like user onboarding, a security incident response, or a maintenance procedure. The scope must be narrow enough to be manageable but broad enough to be useful. For example, instead of 'Manage users,' break it down into 'Onboard new employee,' 'Offboard departing employee,' and 'Reset user password.' This step also involves identifying the stakeholders who will use the SOP and any regulatory requirements that apply.
Gather Information and Input
Consult with subject matter experts (SMEs) who perform the task regularly. Observe the current process, noting every action, tool, and decision point. Review existing documentation, vendor manuals, and compliance requirements. For example, if documenting a server backup procedure, talk to the backup administrator, review the backup software documentation, and check the organization's data retention policy. This step ensures the SOP reflects the actual best practice, not an idealized version.
Write the Draft SOP
Write the SOP using a clear, step-by-step format. Use imperative mood (e.g., 'Click OK,' 'Enter the password'). Include prerequisites (e.g., 'Administrator access required'), expected outcomes (e.g., 'User can log in with new password'), and troubleshooting tips. Use consistent terminology. For example, an SOP for password reset might list: '1. Verify user identity using two-factor authentication. 2. Open Active Directory Users and Computers. 3. Right-click user account, select Reset Password. 4. Enter new password meeting complexity requirements. 5. Check 'User must change password at next logon.' 6. Inform user of new password.'
Review and Approve the SOP
The draft SOP should be reviewed by SMEs, supervisors, and possibly legal/compliance teams. They check for accuracy, completeness, clarity, and alignment with policies. After revisions, the SOP is formally approved by management (e.g., IT Director or Change Advisory Board). The approval is documented with date and signature. This step ensures the SOP is authoritative and can be used as a reference during audits.
Train Staff and Implement
Once approved, the SOP must be communicated to all relevant staff. This can be done through training sessions, email announcements, or posting in a shared repository. Technicians should be required to acknowledge they have read and understand the SOP. For example, a help desk might hold a 30-minute training on the new password reset SOP and then update the ticketing system to include a link to the SOP. Implementation also means updating any automated workflows to reflect the new procedure.
Monitor, Review, and Update
SOPs are living documents. They should be reviewed periodically (e.g., annually) or after any incident that reveals a flaw. Feedback from technicians should be collected. When a change occurs (e.g., software upgrade, new security requirement), the SOP must be updated. Version control is critical — always mark the previous version as obsolete. For example, after a ransomware attack, the incident response SOP might be updated to include steps for isolating infected systems before contacting the security team.
In a large enterprise with 5,000 employees, the IT help desk handles 200+ tickets daily. Without SOPs for common requests like password resets, software installations, and VPN access, each technician would handle them differently. This leads to inconsistent service, security vulnerabilities (e.g., some technicians might not verify identity properly), and longer resolution times. The help desk manager creates SOPs for the top 20 ticket types, stores them in the ticketing system (ServiceNow), and ties each ticket category to the relevant SOP. When a technician opens a password reset ticket, the system displays the SOP steps and requires confirmation after each step. This ensures compliance and speeds up training for new hires.
Another scenario is a healthcare organization subject to HIPAA. They must have documented procedures for accessing patient records, reporting breaches, and disposing of hardware. Their SOP for decommissioning a laptop includes: 1) Verify the laptop is no longer needed. 2) Perform a secure wipe using a tool that meets NIST 800-88 standards. 3) Document the wipe certificate. 4) Update asset management database to 'Disposed.' 5) Physically destroy the hard drive if the data is highly sensitive. During an audit, the organization can produce the SOP and logs showing compliance. If a laptop is lost, the SOP for breach notification outlines who to contact (privacy officer, legal, affected patients) and the timeline (within 60 days under HIPAA).
A common misconfiguration is writing an SOP that is too vague or too complex. For example, an SOP that says 'Back up the server regularly' without specifying frequency, method, or location is useless. Another pitfall is failing to update SOPs after a change. If a new antivirus is deployed but the SOP still references the old one, technicians may skip steps or use incorrect instructions. The best practice is to assign an owner to each SOP who is responsible for keeping it current and to include a 'last reviewed' date. In production, SOPs are often integrated with automation — for example, a user onboarding SOP might trigger scripts that create accounts and assign permissions automatically, reducing manual error.
On the 220-1102 exam, SOPs are tested under Objective 4.1, which includes 'standard operating procedures' as one of the support concepts. The exam does not ask you to write an SOP, but it presents scenarios where you must choose the correct procedure or identify what is missing. Common question types:
Given a scenario (e.g., a user reports a lost laptop), what is the first step according to SOP? (Answer: Report to security/help desk, not wipe the device immediately.)
Which document should a technician consult when performing a task for the first time? (Answer: SOP.)
What is the purpose of an SOP? (Answer: To ensure consistency and compliance.)
Three common wrong answers candidates choose: 1. 'Policy' instead of 'SOP' — Policy is high-level rules; SOP is detailed steps. Example: 'Password must be 8 characters' is policy; 'How to reset password in AD' is SOP. 2. 'Change management' instead of 'SOP' — Change management is the process of approving changes; SOP is the procedure for implementing them. They are related but distinct. 3. 'Ticketing system' instead of 'SOP' — The ticketing system is a tool; SOP is the documented process. The ticket may reference an SOP, but they are not the same.
The exam loves to test the difference between policy, procedure, and standard. Know that a procedure (SOP) is the 'how,' a policy is the 'what/why,' and a standard is a mandatory requirement (e.g., use AES-256 encryption). Also, remember that SOPs should be version-controlled and reviewed regularly. An edge case: If a technician deviates from an SOP because the situation is urgent, they must document the deviation and report it. The exam might ask what to do if an SOP is missing a step — the answer is to follow the closest related SOP or escalate to a supervisor, not to guess.
To eliminate wrong answers, focus on the level of detail. If the question asks for 'step-by-step instructions,' the answer is SOP. If it asks for 'rules,' it's policy. If it asks for 'technical specifications,' it's a standard. Practice with scenario-based questions to internalize these distinctions.
SOPs are documented step-by-step instructions for routine IT tasks.
They ensure consistency, efficiency, compliance, and accountability.
Key components: title, purpose, scope, prerequisites, steps, expected outcomes, troubleshooting, revision history.
SOPs differ from policies (rules) and standards (mandatory specs).
SOPs must be reviewed and updated regularly, especially after changes or incidents.
On the 220-1102 exam, identify the correct SOP for a given scenario (e.g., password reset, incident response).
Common wrong answer: confusing SOP with policy or change management.
SOPs are stored in a shared repository and often linked from ticketing systems.
These come up on the exam all the time. Here's how to tell them apart.
Policy
High-level statement of rules or guidelines.
Defines 'what' must be done and 'why'.
Example: 'All sensitive data must be encrypted at rest.'
Rarely changes; set by management or compliance.
Enforced through SOPs and standards.
Standard Operating Procedure (SOP)
Detailed step-by-step instructions.
Defines 'how' to perform a specific task.
Example: '1. Open BitLocker. 2. Select drive. 3. Enable protection.'
Updated when tools or processes change.
Directly used by technicians to perform tasks.
Mistake
SOPs are only for large enterprises.
Correct
SOPs are valuable for any organization, even small businesses. They ensure consistency, reduce errors, and make training easier. A one-person IT shop can still benefit from documenting common tasks to maintain continuity if they are unavailable.
Mistake
Once written, an SOP never needs to change.
Correct
SOPs must be living documents. They should be reviewed and updated whenever processes, tools, or regulations change. Outdated SOPs can lead to errors and non-compliance. Best practice is to review at least annually and after any incident.
Mistake
SOPs are the same as policies.
Correct
Policies are high-level statements of intent (e.g., 'All passwords must be complex'). SOPs are detailed step-by-step instructions (e.g., 'Open ADUC, right-click user, select Reset Password...'). Policies define 'what,' SOPs define 'how.'
Mistake
SOPs are only for IT support tasks.
Correct
SOPs apply to any repeatable process, including security incident response, asset management, change management, and even non-IT tasks like HR onboarding. The 220-1102 exam covers SOPs in the context of operational procedures.
Mistake
You can skip SOPs if you are experienced.
Correct
Even experienced technicians should follow SOPs to ensure consistency and compliance. Skipping steps can lead to security gaps or mistakes. SOPs also serve as documentation for audits and legal protection.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A policy is a high-level statement of rules or guidelines (e.g., 'Passwords must be at least 8 characters'). An SOP is a detailed step-by-step procedure for performing a task (e.g., '1. Open Active Directory. 2. Right-click user. 3. Select Reset Password...'). Policies define 'what' and 'why'; SOPs define 'how'. On the exam, if the question asks for 'step-by-step instructions,' the answer is SOP.
SOPs ensure consistency across technicians, reduce errors, speed up training, and help meet compliance requirements (e.g., HIPAA, PCI-DSS). They also provide a baseline for continuous improvement and accountability. Without SOPs, each technician might handle the same task differently, leading to security gaps and inefficiency.
SOPs should be reviewed at least annually, or whenever there is a significant change in tools, processes, or regulations. After an incident, the relevant SOP should be reviewed to see if it needs updating. The review date should be documented in the SOP itself.
If an SOP is missing a step, do not guess. Follow the closest related SOP if available, or escalate to a supervisor. Document the issue so the SOP can be updated. On the exam, the correct answer is usually to consult a supervisor or follow the nearest procedure, not to improvise.
Yes, many SOPs can be partially or fully automated using scripts, ticketing workflows, or configuration management tools. For example, a user onboarding SOP might automatically create an account, assign permissions, and send a welcome email. However, the SOP still serves as documentation of the process and is required for compliance.
In change management, an approved change request references an SOP that provides the detailed implementation steps. The SOP ensures the change is performed consistently and safely. After the change, the SOP may be updated to reflect lessons learned.
Ticketing systems can link each ticket category to the relevant SOP. When a technician opens a ticket, the system displays the SOP steps and may require confirmation at each step. This enforces compliance and provides an audit trail. Some systems can even automate steps based on the SOP.
You've just covered Standard Operating Procedures (SOPs) — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?