This article provides an overview of operations security as part of  ISO 27002 compliance.

The objective of operational procedures and responsibilities is to ensure correct and secure operations of information processing facilities.

The objective of protection from malware of is to ensure that information and information processing facilities are protected against malware.

The objective of backup is to protect against loss of data.

The objective of logging and monitoring is to record events and generate evidence.

The objective of control of operational software is to ensure the integrity of operational systems.

The objective of technical vulnerability management is to prevent exploitation of technical vulnerabilities.

The objective of information systems audit considerations is to minimise the impact of audit activities on operational systems.
Operational procedures and responsibilities:

  1. Documented operating procedures – operating procedures should be documented and made available to all users who need them
  2. Change management – changes to the organisation, business processes, information processing facilities and systems that affect information security should be controlled.
  3. Capacity management – the use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.
  4. Separation of development, testing and operational environments – development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment.

Protection from malware:

  1. Controls against malware – detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness.


  1. Information backup – backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy. Backup policy should be established to define the organisation’s requirements for backup of information, software and systems. The policy should define the retention and protection requirements.

Logging and monitoring:

  1. Event logging – event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed.
  2. Protection of log information – logging facilities and log information should be protected against tampering and unauthorized access.
  3. Administrator and operator logs – system administrator and system operator activities should be logged and the logs protected and regularly reviewed.
  4. Clock synchronisation – the clocks of all relevant information processing systems within an organisation or security domain should be synchronised to a single reference time source.

Control of operational software:

  1. Installation of software on operational systems – procedures should be implemented to control the installation of software on operational systems.

Technical vulnerability management:

  1. Management of technical vulnerabilities – information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
  2. Restrictions on software installation – rules governing the installation of software by users should be established and implemented.

Information systems audit considerations:

  1. Information systems audit controls – audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes

For more information please contact Morland-Austin at