ISO 27001 Information Security Management Standard

Part 31 - A12 Operations Security

This clause in the Annex of ISO 27001 is another really “meaty” clause that gets to the heart of preventing loss or availability, confidentiality and integrity of your information.

The clause is there to ensure that the operations in your information processing facilities are well controlled and well managed.

A.12.1 Operational procedures and responsibilities

Firstly this sub-clause has the objective here to ensure you have the correct and secure operations of your information processing facilities.

The standard requires you to cover off the following:

Document your operating procedures.
Ensure you use change management
Conduct capacity management
Separate your development, testing and operational environments

Here at Mango this was straight forward. We outsource our information processing facilities to an ISO 27001 certified hosting company. We worked closely with them to ensure all the security protocols were in place and are being managed well. The key here was to work out who is responsible for each step of the process. As long as that is agreed upon and clearly understood then we couldn’t really go wrong.

A.12.2 Protection from malware

The second sub-clause has the objective to ensure that your information processing facilities are protected against malware.

You need to ensure that you have controls for the detection, prevention and recovery against malware.

This area is crucial because phishing and credential harvesting are the most commonly reported information security threats to your business. We need to seek advice from experts here to make sure you get it right.

Here at Mango we put in a lot of effort with detecting and preventing malware. We discuss how we handle malware and phishing with the staff on an almost daily basis. It is certainly a topic on the monthly management meeting that all staff attend.

We need to keep on top of the malware and phishing threats because one slip will cause a lot of damage.

A.12.3 Backup

The third sub-clause is all about backups of your information systems. The objective of this sub-clause is to protect against loss of your data.

You need to ensure you have backup copies of your information, software and system images. The backups need to be taken and tested regularly.

Don’t forget that need to decide whether you need backups of your information. Some of your information is in the cloud. So make sure you check with your cloud providers on their backup policies.

At Mango our information processing facilities are all backed-up regularly. This is regularly monitored and tested by our IT staff.

A.12.4 Logging and monitoring

The objective of this sub-clause is to record events and generate evidence that you can use to detect, track and trace the loss of information.

You need to cover off the following:

Event logging
Protection of log information
Administrator and operator logs
Clock synchronisation

Here at Mango we have logs in place to track users on our systems and users on our product Mango. These logs are protected and backups are in place. Administrator logs are also captured.

A.12.5 Control of operational software

The objective here on this small sub-clause is to ensure to control the installation of software on your operational systems. This is to ensure your operation systems are not compromised.

Here at Mango all new software must be approved by the Information Security Officer prior to purchase. Then post purchase there is a formal process to ensure the software doesn’t compromise the systems.

A.12.6 Technical vulnerability management

The objective of this sub-clause is to prevent the exploitation of any technical vulnerabilities. The clause covers two areas:

Management of technical vulnerabilities
Restrictions on software installation

Here at Mango this is a formal discussion point when we develop new features for Mango. This is also discussed when we make changes to the infrastructure too.

A.12.7 Information systems audit considerations

The objective here is to minimise the impact of audit activities on operational systems. This is reasonably straight-forward but can be overlooked.

Takeaways

Document your operations security procedures in enough detail to ensure that information processing facilities are well managed.
Ensure you have robust malware procedures in place to meet your needs.
Create backup protocols that protect you from loss of data.
Ensure you have logs as evidence that you can use to detect, track and trace the loss of information.
Have some controls in place to manage when you install new software.
Constantly discuss and analyse for technical vulnerabilities.

View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate