View Categories

Operational Capabilities: The Backbone of Information Security

1 min read

In the world of information security, people often talk about management measures and controls. These measures are the building blocks of a security policy that helps organizations protect their information. But there is a deeper layer that is just as important: operational capabilities.

In this blog, we explain what operational capabilities (OCs) are and how they are classified according to ISO 27002:2022. We also explain why Brand Compliance bases its ISO 27001 audits on these capabilities rather than on individual controls.

Operational CapabilitiesWhat are operational capabilities?

Operational capabilities are an attribute to view controls from the perspective of professionals in information security capabilities. They can form the foundation upon which an organization’s security controls are built.

Operational capabilities include:

  • Technological resources: The hardware and software required to implement and support security measures.
  • Human resources: The skills, knowledge and availability of personnel to effectively manage and implement the required measures.
  • Operational processes: The procedures and workflows designed to implement security measures consistently and repeatedly.
  • Physical facilities: The physical security and environment in which IT systems are managed and stored.

What types of operational capabilities does the ISO 27002:2022 cover?

ISO 27002:2022 highlights a wide range of operational capabilities required for an effective information security management system (ISMS). The standard divides these capabilities into several categories.

Here are some examples:

  • Access to systems and data: Controlling who has access to systems and data, and under what circumstances.
  • Communication security: Protecting the integrity and confidentiality of information during transmission.
  • Incident management: The capabilities to detect, respond to and recover from security incidents.
  • Continuity management: The ability to continue critical functions in the event of a disruption or disaster.
  • Supplier management: Ensuring that third parties comply with the organization’s security requirements.

What is the relationship between operational capabilities and individual controls?

Individual management measures are specific actions or controls implemented to achieve a particular security objective. Operational capabilities provide the infrastructure and resources to make these management measures effective.

The effectiveness of measures depends on the quality of operational capabilities, such as:

  • The availability of trained personnel to manage and monitor access requests;
  • Processes for regularly reviewing and updating access rights;
  • Technologies that support multi-factor authentication.

Without the right OCs, management measures could fail, no matter how well designed on paper.

Auditing based on operational capabilities

Why did Brand Compliance change to auditing an ISMS based on operational capabilities rather than controls? Brand Compliance uses the operational capabilities framework to plan and report audits. Operational capabilities can also provide a more complete picture of the effectiveness of an information security management system.

By focusing audits on OCs, Brand Compliance provides a deeper and broader assessment of security within an organization, leading to a more resilient and secure operational environment.