Annex 12 – Operational Security for your ISO27001:2013 Information Security Management System (ISMS) is a pretty substantial clause since it's all about preventing the loss or availability, integrity and importantly confidentiality of your business information. By substantial we mean there are 14 separate elements for you to think about controls that are included. As the Annex Clauses go then, Annex A12 of the ISO27001:2013 standard is pretty important since it's really about how you ensure that from an operations side of your business things are well managed. We'll walk you through the main points of each of the Annex 12 clauses below.
A.12.1 Operational procedures and responsibilities
This is about the controls you need to be able to demonstrate in order to ensure correct and secure operations of information processing facilities. In other words, make sure you have the correct controls and security in place around the operations of your processing facilities. Keeping in mind a processing facility is anywhere that you effectively manage the data.
- ISO27001 A12.1 is looking for you to firstly have documented operating procedures, these need to be readily available to anyone in the organisation that needs them.
- Control around Change Management is the next step, so it's looking for you to ensure that changes are documented and considered prior to implementation, that they are controlled.
- Capacity Management needs to be considered, which means you need to think about all the resources you need to use making sure they are properly monitored, tuned and that there is thinking and planning carried out about future capacity requirements.
- You also need to have separate development, testing and operational environments, i.e. you don't test out the new version of your program in the live system!
A.12.2 Protection from malware
Annex Clause A12.2 is there to ensure you have controls in place around protecting your organisation for malware attacks. This includes the need to have methods and systems to handle detection, prevention and recovery controls
A.12.3 Backup
For what ever reason this always seems to eb a weakness for a great many organisations, large & small. Companies tend to be good at creating backups, the first part of this ISO27001 annex clause. The 2nd part, the regular testing of those back ups to ensure they work, not so much. Here the standard is looking for you to have a clear policy around backs ups and processes for both making sure they happen, and they are tested.
A.12.4 Logging and monitoring
The ISO27001 requirement for logging & monitoring events is about generating evidence of things in your system. It's not about spying on people but more about ensuring you have the evidence that you can use to find and figure out what losses or information issue you have. There are 4 elements you need to consider"
- Event Logging which is about logging user activity exceptions, faults and information security events.
- Protection of log information which is focused on ensuring that your logging facilities and log information isn't able to be tampered with.
- Administrator and operator logs which again is about ensuring that system admin and operator logs can't be tampered with.
- Clock synchronisation which ensures that all of the clocks within the information processing systems are all synchronised to a single reference time source.
A.12.5 Control of operational software
In almost every organisation you find that people want to install their own software onto their systems. This carries a huge amount of risk and so ISO27001 has a requirement that you have procedures in place around how you control installation of software on systems. Not just for the adhoc things people want but also the day-to-day software that the business uses legitimately. How often have you updated a software version only to find a new bug? That's what ISO27001 A12.5 is trying to stop.
A.12.6 Technical vulnerability management
These two controls are targeted at preventing the exploitation of any technical vulnerabilities within your systems. Both are really self-explanatory. Firstly, management of technical vulnerabilities where you are responsible for understanding and find out about those vulnerabilities and taking the necessary steps to mitigate them. Secondly, it's about having restrictions on software installation where you want to ensure only authorised people can install software into your organisation.
A.12.7 Information systems audit considerations
The aim of this final requirement is to help the organisation as a whole. Clearly to ensure your ISO27001 systems and processes are working you will have to run audits. Some of those audits can even be fully automated and happen real time through management software. This clause however is very clear : " Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes." I.e. do your audits but give due consideration to not impact the on going operations of the organisation.
It may seem like a lot of controls but then you have a fairly large responsibility to ensure that your ISO27001 system actually does provide value to the business in terms of the information security management system requirements. Only by having great controls in place from an operational view point can you really do this.