ISO-27001-Annex-12-Operations-Security

ISO 27001 Annex : 12 Operations Security

ISO 27001 Annex : 12 Operations Security in this article explain Operational procedures and responsibilities, Documented Operating Procedures, Change Management & Separation of Development, Testing and Operational Environments.

A.12.1  Operational procedures and responsibilities

Its objective is to ensure that information processing facilities operate correctly and securely.

A.12.1.1  Documented Operating Procedures

Control-Operating procedures should be documented and accessed by all users in need.

Implementation Guidance- Documented procedures for operating information processing and communications facility activities should be prepared including computer start-up and closing down, backup, maintenance of equipment, media handling, computer room and mail management, and safety.

The operating procedures should include the following operating instructions:

  1. Systems installation and settings;
  2. Automated and manual processing and management of information;
  3. Backing up
  4. scheduling requirements such as early work start and latest job completion times, including interdependencies to other systems;
  5. Instructions for handling errors or any additional exceptional conditions, including restrictions on system utilities that may arise during job execution;
  6. Support and escalation contacts in cases of unexpected operational or technical issues include external support contacts
  7. Specific output and medium handling instructions, including procedures for safe disposition of the output from failed work, such as the use of specific stationery or confidential output management;
  8. system reboot and recovery procedures for the system failure to be used;
  9. Audit-trail management and system log information;
  10. Procedures for monitoring.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Operating procedures and documented procedures for system operations should be treated as managerial authorized formal documents and alterations. Where technically feasible, IT systems should be consistently administered using the same procedures, tools, and utilities.

A.12.1.2  Change Management

Control- Changes in the organization, organizational procedures, information management facilities, and information security systems should be controlled.

Implementation Guidance- The following things will in particular be taken into account:

  1. Identify and record significant changes;
  2. Planning and testing of modifications;
  3. the assessment of the possible impacts of these changes, including the effects on information security;
  4. Procedure for formal approval of changes proposed;
  5. Verification of compliance with information security requirements;
  6. Communication to all or any specific individuals about the changes in detail;
  7. Failure to recover from costly improvements and unforeseeable incidents like abortion procedures and responsibilities;
  8. Providing an emergency procedure for making the changes required to resolve the incident quickly and controlled.

In order to guarantee adequate oversight of all changes, structured management roles and procedures should be enforced. An audit log with all relevant information should be retained when changes are made.

Other Information- A common cause of system failures or security failures is poor control over improvements in information processing facilities and systems. Changes in the operating environment can have an impact on the reliability of applications, in particular when transitioning from development to operational stage.

“There is no security on this earth; there is only opportunity”
– Douglas MacArthur

A.12.1.3  Capacity Management

Control- In order to ensure necessary system performance, the use of resources should be monitored, adapted, and projected based on future capacity requirements.

Implementation Guidance- Taking into account the criticality of the business system concerned, capability requirements should be defined. System tuning and control should be implemented to ensure the quality and reliability of the systems and, where possible, improve them. In order to detect problems in due time, detective audits should be put in place. For future capacity requirements, the new business and system needs and current and projected trends in information processing capacity should be taken into account.

Any resources with long procurement lead times or high cost should be given particular attention; managers should also control the usage of the key system resources. Trends in use should be identified, especially with respect to business applications or tools for managing information systems.

Managers will use the data to identify and remove possible bottlenecks and dependency on key workers who may risk network protection or services.

By rising capacity or growing demand, adequate capacity can be achieved. Examples of capacity management requirements include the following points:

  1. removal of obsolete data (disk space);
  2. Decommissioning application, programs, databases or environment;
  3. Optimization of batch procedures and schedules;
  4. Optimizing logic of program or database queries
  5. Refusal or limitation of bandwidth for resource-hungry applications if they are not business-critical (e.g. video streaming).

A recorded capacity management strategy for mission-critical systems should be considered.

Other Information- This control also includes the capacity of human resources, offices, and facilities.

Also Read : ISO 27001 Annex : A.11.2.7 Secure Disposal or Re-use of Equipment, A.11.2.8 Unattended User Equipment & A.11.2.9 Clear Desk and Clear Screen Policy

The Organization wishes that its information equipment to remain within the CIA triads. They also ensure that the operation in their business have been implemented with proper security controls to protect the confidentiality, authenticity and/or integrity of the organization’s information and information processing facilities. This control is covered in Annex 12 of ISO 27001. This famous certification of lead auditor and lead implementer covers all the annexes to the security of information by implementing appropriate access controls to ensure authorized access to protect the organization’s critical information. Infosavvy, a Mumbai-based institute, offers certifications and training for multiple-domain-like management of information security, cybersecurity, and many others, including the IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). This certification covers several audits to keep an organization safe from the intended destructor. Infosavvy will help you to understand and identify the full extent of the security controls of your organization that is necessary to protect the operations and information equipment (assets)of your organization from attacks even at the time of their demise. We have trained trainers who have ample know-how and experience in order to make sure that the information security is effectively handled. The applicant will, therefore, gain the skills needed to conduct the ISMS audit using commonly agreed audit concepts, procedures and techniques.

A.12.1.4  Separation of Development, Testing and Operational Environments

Control- To reduce risks of non-authorized access or changes in the operational environment, development, testing, and operational environments should be separated.

Implementation guidance- It is important to define and enforce the degree of separation between organizational, testing and development environments needed to avoid operational problems.

The following should be taken into account:

  1. Rules should be described and reported for software transition from development to operational status;
  2. Development and software should be run on various systems or computer processors and in various domains or directories;
  3. Changes to operating systems and applications shall be tested before they are applied to operational systems in a testing or staging environment;
  4. Tests should not be performed on operating systems except under extraordinary circumstances;
  5. When not required, compilers, editors and other tool or system development utilities from operating systems should not be accessible;
  6. For operational and testing systems users should use different user profiles, and the menus should display acceptable identifying messages in order to minimize the possibility of error;
  7. Unless the test system equivalent controls are provided, sensitive data should not be copied to the test system environment.

Other Information- Development and testing activity can lead to serious problems such as file, system environment, or system failure unwanted modifications. There is a need to carry out substantial tests to avoid unsafe access for developers to the operating system in a well-known to secure setting.

Where development and testing personnel have access to, or modification of operational data, the operating system and its data may be unauthorized or untested. In some systems, fraud or untested or malicious code could be misused in order to cause serious operational problems.

The confidentiality of operational information also concerns the development and testing of employees. Unintended software or information changes may occur when the production and testing activities share the same computing environment. Therefore, it is beneficial to reduce the possibility of unnecessary alteration or exposure to operational software and business data by separating development, testing, and operational environments.

Questions related to this topic
  1. How do I secure an application software?
  2. What i s ISO 27001 Annex : 12 Operations Security procedures and responsibilities?
  3. What steps can be taken during the application development process to protect against vulnerabilities?
  4. what are the controls using in ISO 27001 Annex : 12 Operations Security?
  5. What is application level security?
  6. How do you manage test data?
  7. Explain ISO 27001 Annex : 12 Operations Security?

ISO 27001 Requirements


Clause 4.2 Understanding the needs and expectations of interested parties 
Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities 
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.1 Resources
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control
Clause 8.2 Information security risk assessment
Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement 

ISO 27001 Annex A Controls


Annex A.5 Information Security Policies
Annex A.6 Organization of Information Security
Annex A.6.2 Mobile Devices and Teleworking
Annex A.7 Human Resource Security
Annex A.7.2 During Employment
Annex A.7.3 Termination and Change of Employment
Annex A.8 Asset Management
Annex A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets
Annex A.8.2 Information Classification
Annex A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
Annex A.8.3 Media Handling
Annex A.9 Access Control
Annex A.9.1.2 Access to Networks and Network Services
Annex A.9.2 User Access Management
Annex A.9.2.3 Management of Privileged Access Rights  
Annex A.9.2.4 Management of Secret Authentication Information of Users
Annex A.9.2.5 Review of User Access Rights 
Annex A.9.2.6 Removal or Adjustment of Access Rights
Annex A.9.3 User Responsibilities
Annex A.9.4 System and Application Access Control
Annex A.9.4.4 Use of Privileged Utility Programs 
Annex A.9.4.5 Access Control to Program Source Code
Annex A.10 Cryptography
Annex A.11 Physical and Environmental Security
Annex A.11.2 Equipment
Annex A.11.1.3 Securing Offices, Rooms and Facilities
Annex A.11.1.4 Protecting Against External and Environmental Threats
Annex A.11.1.5 Working in Secure Areas
Annex A.11.1.6 Delivery and Loading Areas
Annex A.11.2.4 Equipment Maintenance
Annex A.11.2.5 Removal of Assets
Annex A.11.2.6 Security of Kit and Assets Off-Premises
Annex A.11.2.7 Secure Disposal or Re-use of Equipment
Annex A.11.2.8 Unattended User Equipment
Annex A.11.2.9 Clear Desk and Clear Screen Policy
Annex A.12 Operations Security
Annex A.12.2 Protection from Malware
Annex A.12.3 Backup
Annex A.12.4 Logging and Monitoring
Annex A.12.5 Control of Operational Software
Annex A.12.6 Technical Vulnerability Management
Annex A.12.7 Information Systems Audit Considerations
Annex A.13 Communications Security
Annex A.13.2 Information Transfer
Annex A.13.2.3 Electronic Messaging
Annex A.13.2.4 Confidentiality or Non-Disclosure Agreements
Annex 14 System Acquisition, Development and Maintenance
Annex A.14.1.2 Securing Application Services on Public Networks
Annex A.14.1.3 Protecting Application Services Transactions
Annex A.14.2 Security in Development and Support Processes
Annex A.14.2.3 Technical Review of Applications after Operating Platform Changes
Annex A.14.2.4 Restrictions on Changes to Software Packages
Annex A.14.2.5 Secure System Engineering Principles
Annex A.14.2.6 Secure Development Environment
Annex A.14.2.7 Outsourced Development
Annex A.14.2.8 System Security Testing
Annex A.14.2.9 System Acceptance Testing
Annex A.14.3 Test data
Annex A.15 Supplier Relationships
Annex A.15.1.2 Addressing Security Within Supplier Agreements
Annex A.15.1.3 Information and Communication Technology Supply Chain
Annex A.15.2 Supplier Service Delivery Management
Annex A.16 Information Security Incident Management
Annex A.16.1.2 Reporting Information Security Events
Annex A.16.1.3 Reporting Information Security Weaknesses
Annex A.16.1.4 Assessment of and Decision on Information Security Events
Annex A.16.1.5 Response to Information Security Incidents
Annex A.16.1.6 Learning from Information Security Incidents
Annex A.16.1.7 Collection of Evidence
Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.17.1.3 Verify, Review and Evaluate Information Security Continuity
Annex A.18 Compliance
Annex A.18.1.3 Protection of Records
Annex A.18.1.4 Privacy and Protection of Personally Identifiable Information
Annex A.18.1.5 Regulation of Cryptographic Controls
Annex 18.2 Information Security Reviews

About ISO 27002



This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

14 thoughts on “ISO 27001 Annex : 12 Operations Security”

Leave a Comment