Get compliant with ISO 27001 – Annex A.12 and simplify compliance for your organisation.
Annex 12 is responsible for ensuring that information processing operations are sufficiently managed and controlled. Alignment with Annex 12 is essential to avoid any loss or unauthorised communication of valuable information.
To ensure information processing facilities are operating securely and correctly.
There should be accessible documentation of all necessary operation procedures. The procedures should include:
To control any change in an organisation, its procedures, its information management facilities and information security systems. Any significant change should be identified and recorded. Impacts of these changes on information security should be assessed.
To monitor the current system’s capacity and performance. In particular, data storage, processing power and bandwidth should be managed. This should be done to make sure that the current system is optimised and could be adapted to meet future requirements.
Testing, development and operational environments should be separate to lessen the risk of unauthorised access in key areas. To do this there must be clear definition and enforcement of the degree of separation.
To ensure that information processing facilities are protected from malware.
To defend against malware, a combination of suitable user awareness, detection, prevention, and recovery controls should be considered. For example, updating anti-virus software and limiting the use of removable media.
To protect against data loss.
To ensure regular inspection and testing of backup copies of programs and records. The organisation should agree on a policy, which would define the requirements for retention and protection. There should also be ample backup facilities to ensure that all information can be restored in case of a disaster or system failure.
To ensure that all events are recorded with sufficient evidence.
Event logs should be looked after and regularly reviewed. They should record user activity and any anomalies that could pose a security risk. They should include user IDs, date and times, successful and unsuccessful attempts to access the system.
Only authorised users should be able to access log information. Unauthorised users should not be allowed to alter, edit, remove or overwrite any log files. To protect log information, copies should be made and stored outside the control of the system’s operator.
To monitor and log the activity of the system manager and operator. It is important to keep those logs safe, as they are under their direct control. This is done to make sure that privileged users are kept accountable.
To ensure that all clocks in relevant information management systems are connected to a single source of time.
To ensure the integrity of operating systems.
To implement adequate procedures, covering control of the installation of software on operating systems. If unsupervised, downloads can lead to malware infections and file damage. Only trained administrators should upgrade software, after management permission has been given.
To ensure that technological vulnerabilities are not being exploited.
To ensure that there is a continuous and regular check up identifying vulnerabilities. All technical vulnerabilities identified must be recorded and brought to the attention of the technical team to be assessed with a plan for appropriate measures to be taken. Any actions should be carried out by following relevant procedures.
To ensure that there are rules within the organisation for installing software. This is a step to make sure no unauthorised software is installed onto company systems. The organisation should also identify which types of software are permitted and which are forbidden.
To ensure that the impact of audit activities on operational systems is kept to a minimum.
To ensure that a formal audit schedule is created. This is done so that the auditing process doesn’t impact or slow down business activities for too long. The scope and depth of the audit should be defined, and a clear plan should be developed for the best times to perform testing. Controls around sharing evidence and conduct of testing must also be defined and managed. This is to make sure that information security controls are not impacted.
©Copyright Inverifi 2023, All rights reserved. Registered in England, No: 06959535, , +44 20 4574 9908