In the beginner’s guide to ISO 27001 Operations you will learn
- what Operations is
- how to implement Operations
- examples of Operations
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
Table of contents
What is Operations?
Operations is about the need to plan and control the processes necessary to meet the requirements of your objectives and the management of your risks.
Documented processes is going to fall into two categories.
- documented processes for the information security management system (the isms),
- documented processes that support the annex a controls.
By doing this you can:
- Ensure Consistency: the single biggest reason to implement operations and document everything is so that you have process maturity and are consistent in your approach.
- Evidence effective operation of information security: by implementing operations you will have evidence of the management of information security and the measures and monitors that show that it is effective.
- Reduce errors: by having operations you are able to reduce errors by being consistent and continually improve and adapt as things change.
Key Principles
- Processes are documented: the information security management system (ISMS) and business operations are documented. This is about having business process maturity which means having documented processes and a standardised way of operating that is performed in the same way irrespective of who operates the process. The output of the process is also the same irrespective of who operates it.
- Documentation is available: documentation is available to those that needed it when they need it including the inputs and outputs such as management reports.
Example Records of Evidence
Examples of records that processes can generate include
- internal audit reports
- external audit reports
- IT management reports,
- antivirus status reports
- patching status reports
- asset inventory
- the number of new users
- help desk statistic reports
Implementation Checklist
The following is a checklist for implementation. These are the questions to ask yourself:
- Do you have the process?
- Is it documented?
- Does it meet the documentation requirements of the standard?
- Do you know what the inputs are?
- Can you show those inputs on a regular basis?
- Can you show those outputs on a regular basis?
- Do you have evidence of those?
ISO 27001 requirement for Operations
The ISO 27001 standard specifically addresses Operations in
ISO 27001 Clause 8.1 Operational Planning and Control
ISO 27001 Annex A 5.37 Documented operating procedures
How to implement Operations
For a detailed guide on how to implement Operations, read the implementation guides