Recognizing the Importance of Operational Security

Written by

Operational security is crucial – but it’s not always appreciated and is often challenging to execute. As organizations learn to adjust to the new and unprecedented challenge of widespread remote working, they’ll continue to experience significant information security challenges. Those that have already prioritized information security, perhaps as part of their wider business continuity strategy, will stand a good chance of adapting to effectively manage risk.

Effective operational security has never been more important - the unexpected shift to remote working raises the question as to how information processing facilities operate correctly and remain secure. This is one area where ISO 27001 certification provides an effective solution.

ISO 27001 is an international standard that defines the requirements for an Information Security Management System (ISMS). The requirements are broad and feature controls that relate to operational security. When organizations are audited against ISO 27001, some of the most common nonconformities relate to operational security.

Defining Your Context

You must identify interested parties so their needs can be adequately addressed. For example, if you’re part of a supply chain, your partners’ risk appetite could impact your own operational security strategy. This applies to all organizations that rely on suppliers for operational services.

Although interested parties and their requirements are many and varied, their collective impact can greatly influence decision-makers and the overall approach to information security.

This is an important consideration both when developing operational security processes and in the wider design of an ISMS. Although defining your context is generally a relatively stable, strategic process, events like COVID-19 carry a significant impact. We’ve seen many organizations change their product and service portfolio in response to it, either to focus on core priorities or to offer new services to aid with the collective relief effort. This introduces new risks.

Achieving Effective Operational Security

The ISO 27001 requirements around operational security are broad, essentially forming a package of measures that must all be addressed. Organizational response to these requirements is typically established through documented procedures or workflow tools which define resource needs and provide management with insight into control performance.

Generally speaking, no one requirement is more important than another. Every organization is different and focus areas are dependent on what an organization does and how it operates. For example, one organization may operate stricter controls over ‘restrictions on software installation’ than others.

Change Management

Organizations are frequently operating more interdependent information processing systems and understanding the impact of changes is important for reducing undesired events. To minimize these, processes are required to ensure that changes are necessary, effective, and authorized before being deployed.


"If you’re part of a supply chain, your partners’ risk appetite could impact your own operational security strategy"

The design of change management procedures depends on your organization – they need to be appropriate but shouldn’t be overly complicated. For some, it could be a simple case of providing a basic audit trail of any changes along with version control. For other more complex changes, advanced change management processes are required with more input, scrutiny, and investment.

The collective COVID-19 response has significantly tested these processes, and the way organizations have established home working environments at pace has been impressive. That said, hasty implementation at scale can expose inherent process weaknesses, so now is the perfect time to conduct an internal audit to make sure that rapid deployments were completed consistently.

Technical Vulnerability Management

Information security breaches and cyber-attacks are more frequent and damaging than ever. As organizations become more data-rich, in order to adopt new technology at a rapid rate, proportionate vulnerability management processes must be in place. Vulnerabilities must also be identified in a timely manner and their impact assessed in order to implement an effective risk treatment plan. This process is central to an ISO 27001-compliant ISMS.

Depending on IT infrastructure complexity, identifying vulnerabilities and rolling out patches and updates can be difficult to define within your ISMS. There must also be a balance between quick deployment and sufficient testing. Even if it’s only a development asset, your process should ask key questions like:

  • Is the asset in the desired state?
  • Has this state been defined to ensure the control is implemented as planned?
  • Is the roll-out on track or taking longer than intended?

Adjusting to a Changing World of Work

For companies already ISO 27001 certified, the shift to home-based working will have represented a true test of operational security measures and processes. This is because a distributed workforce has pushed the organizational security boundary into people’s homes. Although this reduces the risks of office outage, it increases the threat of unauthorized asset access or malware infection.

Ultimately, ISO 27001 certification gives compliant organizations a robust method of managing these new risks from an information security perspective.

Brought to you by

What’s hot on Infosecurity Magazine?