Procedures are very unique, in fact they are unique as the organization they are placed in. Unfortunately there is no generally accepted standard for the correct way to produce a good procedure. The main factor that will determine how your developed procedures will look will be how your current procedures templates are designed for your organization and how you intend the procedure to be used by its intended audience. Because of these factors your procedures may have a different look and not be completely unified in design because each procedure will have a different audience.
Writing a procedure is very different from writing a policy as it doesn't have to be approved by senior management. A procedure must only enforce policy and applicable standards and must be instructive in nature. It is recommended not to use teams of people to develop a good procedure. Large teams of people will actually slow down the process of development.
When information security professionals get to the procedures some believe that the large quantity of work is complete and now it is up to the individual technical subject matter experts to write the individual procedures. Generally this does not work because the subject matter experts are generally too busy with their day-to-day functions and already overworked to find the time to develop or worry about more paperwork. Writing procedures is usually the last thing they will want to do so it is usually left till last if done at all.
If budget warrants it is recommended that you hire a technical writer or dedicate a person to gather the relevant information from the subject matter expert and put the information into a procedure format. Good procedure templates can be found on this site and are a good foundation for building your own procedure documents. Using procedure templates will quickly speed up the process enabling you to concentrate on what needs to be done rather than worrying about the documentation of format. Procedure templates can also be used as a guideline to ensure that every base is covered in your role revision.
When scheduling meetings with the subject matter expert be sure to ask them to bring any current documentation they have including flowcharts or graphics that demonstrate the particular tasks that are performed. Visual aids such as flowcharts or an information flow model are very valuable in the procedure development process. Usually the meaning should only take around one hour which should be long enough to get the information necessary, you can use a procedure template to guide the questions and keep the subject matter expert on track. Once the questioning is complete make sure you tell subject matter expert what the next steps are so they understand clearly of forthcoming events.
Below are some general steps that will be performed after the interview:
• The information derived from the interview will be put into the procedure format
• A draft procedure document will be produced and sent to subject matter expert for their consideration and if necessary editing
• The technical writer or project person will update the procedure based on the subject matter experts comments or revisions
• Additional items can then added to the procedure
• The procedure will be put through some testing
• If the procedure is successful producing the proper results, it will be published according to the appropriate procedure approval process.
Security Bastion provides a range of excellent procedure templates which you can use to base your own procedure development project on. These templates have been developed using industry best practices as a guideline. These documents will help you have your procedures up and running in no time.
A good reference can be found here