Part 31 - A12 Operations Security
This clause in the Annex of ISO 27001 is another really “meaty” clause that gets to the heart of preventing loss or availability, confidentiality and integrity of your information.
The clause is there to ensure that the operations in your information processing facilities are well controlled and well managed.
A.12.1 Operational procedures and responsibilities
Firstly this sub-clause has the objective here to ensure you have the correct and secure operations of your information processing facilities.
The standard requires you to cover off the following:
- Document your operating procedures.
- Ensure you use change management
- Conduct capacity management
- Separate your development, testing and operational environments
Here at Mango this was straight forward. We outsource our information processing facilities to an ISO 27001 certified hosting company. We worked closely with them to ensure all the security protocols were in place and are being managed well. The key here was to work out who is responsible for each step of the process. As long as that is agreed upon and clearly understood then we couldn’t really go wrong.
A.12.2 Protection from malware
The second sub-clause has the objective to ensure that your information processing facilities are protected against malware.
You need to ensure that you have controls for the detection, prevention and recovery against malware.
This area is crucial because phishing and credential harvesting are the most commonly reported information security threats to your business. We need to seek advice from experts here to make sure you get it right.
Here at Mango we put in a lot of effort with detecting and preventing malware. We discuss how we handle malware and phishing with the staff on an almost daily basis. It is certainly a topic on the monthly management meeting that all staff attend.
We need to keep on top of the malware and phishing threats because one slip will cause a lot of damage.
The third sub-clause is all about backups of your information systems. The objective of this sub-clause is to protect against loss of your data.
You need to ensure you have backup copies of your information, software and system images. The backups need to be taken and tested regularly.
Don’t forget that need to decide whether you need backups of your information. Some of your information is in the cloud. So make sure you check with your cloud providers on their backup policies.
At Mango our information processing facilities are all backed-up regularly. This is regularly monitored and tested by our IT staff.
A.12.4 Logging and monitoring
The objective of this sub-clause is to record events and generate evidence that you can use to detect, track and trace the loss of information.
You need to cover off the following:
- Event logging
- Protection of log information
- Administrator and operator logs
- Clock synchronisation
Here at Mango we have logs in place to track users on our systems and users on our product Mango. These logs are protected and backups are in place. Administrator logs are also captured.
A.12.5 Control of operational software
The objective here on this small sub-clause is to ensure to control the installation of software on your operational systems. This is to ensure your operation systems are not compromised.
Here at Mango all new software must be approved by the Information Security Officer prior to purchase. Then post purchase there is a formal process to ensure the software doesn’t compromise the systems.
A.12.6 Technical vulnerability management
The objective of this sub-clause is to prevent the exploitation of any technical vulnerabilities. The clause covers two areas:
- Management of technical vulnerabilities
- Restrictions on software installation
Here at Mango this is a formal discussion point when we develop new features for Mango. This is also discussed when we make changes to the infrastructure too.
A.12.7 Information systems audit considerations
The objective here is to minimise the impact of audit activities on operational systems. This is reasonably straight-forward but can be overlooked.
- Document your operations security procedures in enough detail to ensure that information processing facilities are well managed.
- Ensure you have robust malware procedures in place to meet your needs.
- Create backup protocols that protect you from loss of data.
- Ensure you have logs as evidence that you can use to detect, track and trace the loss of information.
- Have some controls in place to manage when you install new software.
- Constantly discuss and analyse for technical vulnerabilities.
View previous blogs in this series "ISO 27001 Information Security Management Standard":