Inverifi logo

ISO 27001

Annex A.12 controls - Operations Security

Get compliant with ISO 27001 – Annex A.12 and simplify compliance for your organisation.

Annex 12 is responsible for ensuring that information processing operations are sufficiently managed and controlled. Alignment with Annex 12 is essential to avoid any loss or unauthorised communication of valuable information.

A.12.1 – Operational procedures and responsibilities

To ensure information processing facilities are operating securely and correctly.

A.12.1.1 Documented operating procedures

There should be accessible documentation of all necessary operation procedures. The procedures should include:

  • Installation and settings
  • Back up
  • Instructions for handling errors
  • Support contacts in case of issues
  • Systems reboot and recovery procedures
  • System log information

A.12.1.2 Change management

To control any change in an organisation, its procedures, its information management facilities and information security systems. Any significant change should be identified and recorded. Impacts of these changes on information security should be assessed.  

A.12.1.3 Capacity management

To monitor the current system’s capacity and performance. In particular, data storage, processing power and bandwidth should be managed. This should be done to make sure that the current system is optimised and could be adapted to meet future requirements.

A.12.1.4 Separation of development, testing and operational environments

Testing, development and operational environments should be separate to lessen the risk of unauthorised access in key areas. To do this there must be clear definition and enforcement of the degree of separation.

A.12.2 – Protection from malware

To ensure that information processing facilities are protected from malware.

A.12.2.1 Controls against malware

To defend against malware, a combination of suitable user awareness, detection, prevention, and recovery controls should be considered. For example, updating anti-virus software and limiting the use of removable media.

A.12.3 – Backup

To protect against data loss.

A.12.3.1 Information backup

To ensure regular inspection and testing of backup copies of programs and records. The organisation should agree on a policy, which would define the requirements for retention and protection. There should also be ample backup facilities to ensure that all information can be restored in case of a disaster or system failure.

A.12.4 – Logging and monitoring

To ensure that all events are recorded with sufficient evidence.

A.12.4.1 Event logging

Event logs should be looked after and regularly reviewed. They should record user activity and any anomalies that could pose a security risk. They should include user IDs, date and times, successful and unsuccessful attempts to access the system.

A.12.4.2 Protection of log information

Only authorised users should be able to access log information. Unauthorised users should not be allowed to alter, edit, remove or overwrite any log files. To protect log information, copies should be made and stored outside the control of the system’s operator.

A.12.4.3 Administrator and operator logs

To monitor and log the activity of the system manager and operator. It is important to keep those logs safe, as they are under their direct control. This is done to make sure that privileged users are kept accountable. 

A.12.4.4 Clock synchronisation

To ensure that all clocks in relevant information management systems are connected to a single source of time.

A.12.5 – Control of operational software

To ensure the integrity of operating systems.

A.12.5.1 Installation of software on operational systems

To implement adequate procedures, covering control of the installation of software on operating systems. If unsupervised, downloads can lead to malware infections and file damage.  Only trained administrators should upgrade software, after management permission has been given.

A.12.6 – Technical vulnerability management

To ensure that technological vulnerabilities are not being exploited.

A.12.6.1 Management of technical vulnerabilities

To ensure that there is a continuous and regular check up identifying vulnerabilities. All technical vulnerabilities identified must be recorded and brought to the attention of the technical team to be assessed with a plan for appropriate measures to be taken.  Any actions should be carried out by following relevant procedures. 

A.12.6.2 Restrictions on software installation

To ensure that there are rules within the organisation for installing software. This is a step to make sure no unauthorised software is installed onto company systems. The organisation should also identify which types of software are permitted and which are forbidden. 

A.12.7 – Information systems audit considerations

To ensure that the impact of audit activities on operational systems is kept to a minimum.

A.12.7.1 Information systems audit controls

To ensure that a formal audit schedule is created. This is done so that the auditing process doesn’t impact or slow down business activities for too long. The scope and depth of the audit should be defined, and a clear plan should be developed for the best times to perform testing. Controls around sharing evidence and conduct of testing must also be defined and managed. This is  to make sure that information security controls are not impacted.