+31 (0)73 220 2000 | info@brandcompliance.com
English
  • Dutch
  • English
  • Français
  • België
  • Dutch
  • English
  • Français
  • België
Brand Compliance
  • Certify
    • ISO 9001
    • ISO 22301 (BCM)
    • ISO 19770-1 (IT-assets)
    • ISO 27001
    • ISO 27017 and ISO 27018
    • BIO
    • ISO 27701 (Privacy)
    • NEN 7510
  • IT Assurance
    • SOC 2
  • Vacancies
  • Knowledge base
  • BC Academy
Discuss your situation
  • Information security
    • ISO 27001
    • NEN 7510
    • CyFun
      • CyFun verification
      • Request CyFun verification
    • ISO 27799
    • ISO 27017 and ISO 27018
    • BIO
    • ISO 19770-1
  • Privacy
    • BC 5701
    • ISO 27701
    • GDPR standard BC 5701:2024 EN
  • IT assurance
    • SOC 2
    • ISAE 3402
    • ISAE 3000
  • Quality & continuity
    • ISO 9001
    • ISO 14001
    • ISO 22301
  • Knowledge & news
    • Knowledge articles
    • News
  • Academy
    • All training courses
    • NIS2 & CyFun
    • ISO 27001
  • About us
    • Accreditations
    • Careers
    • Compliment, complaint or tip
    • Locations
    • Privacy Statement
    • Contact

Preparing for certification

6
  • Certification checklist: how to prepare for certification
  • Do you have your first certification audit soon?
  • The certification process step by step
  • How long does ISO certification take?
  • How to conduct an internal audit
  • Describing the scope of certification: tips and examples

Audit process & certification cycle

7
  • Initial audit Stage 1
  • Initial audit Stage 2
  • What is a certification cycle?
  • Nonconformities within the management system
  • What should you know about certificate suspension or revocation?
  • Transfer of certification
  • The use of certification logos

Management systems & key concepts

6
  • Whitepaper management system audits
  • Quality Management: best practices for success
  • The Brand Compliance glossary
  • What is a management system?
  • Internal or external audit?
  • Accreditation versus certification

Information security

3
  • Excelling in information security: best practices
  • Operational Capabilities: The Backbone of Information Security
  • The Traffic Light Protocol (TLP): what does it mean for you?

NEN 7510 & healthcare

4
  • Transition to NEN 7510-1:2024
  • NEN 7510 without healthcare institution?
  • How to expand with NEN 7510
  • The differences between ISO 27001 and NEN 7510

NIS2 & CyberFundamentals

5
  • ISO 27001 in a NIS2 context in Belgium
  • CyberFundamentals 2025: transition from CyFun 2023 to 2025
  • Self-assessment & CyFun verification: best chance of success
  • NIS2 liability for board members
  • CyberFundamentals Framework in Belgium: what is the relationship with NIS2?

Privacy & data protection

8
  • Transition to ISO/IEC 27701:2025
  • GDPR compliance best practices
  • Data breach: What is it and how do you prevent it?
  • Your Data Protection Officer and the GDPR
  • Your record of processing activities and the GDPR
  • Checklist for your BC 5701 certification
  • BC 5701 certification: where do you start?

Assurance audits

1
  • ISAE 3402 vs SOC 2: what is the difference?
View Categories

Operational Capabilities: The Backbone of Information Security

In the world of information security, people often talk about management measures and controls. These measures are the building blocks of a security policy that helps organizations protect their information. But there is a deeper layer that is just as important: operational capabilities.

In this blog, we explain what operational capabilities (OCs) are and how they are classified according to ISO 27002:2022. We also explain why Brand Compliance bases its ISO 27001 audits on these capabilities rather than on individual controls.

Operational CapabilitiesWhat are operational capabilities? #

Operational capabilities are an attribute to view controls from the perspective of professionals in information security capabilities. They can form the foundation upon which an organization’s security controls are built.

Operational capabilities include:

  • Technological resources: The hardware and software required to implement and support security measures.
  • Human resources: The skills, knowledge and availability of personnel to effectively manage and implement the required measures.
  • Operational processes: The procedures and workflows designed to implement security measures consistently and repeatedly.
  • Physical facilities: The physical security and environment in which IT systems are managed and stored.

What types of operational capabilities does the ISO 27002:2022 cover? #

ISO 27002:2022 highlights a wide range of operational capabilities required for an effective information security management system (ISMS). The standard divides these capabilities into several categories.

Here are some examples:

  • Access to systems and data: Controlling who has access to systems and data, and under what circumstances.
  • Communication security: Protecting the integrity and confidentiality of information during transmission.
  • Incident management: The capabilities to detect, respond to and recover from security incidents.
  • Continuity management: The ability to continue critical functions in the event of a disruption or disaster.
  • Supplier management: Ensuring that third parties comply with the organization’s security requirements.

What is the relationship between operational capabilities and individual controls? #

Individual management measures are specific actions or controls implemented to achieve a particular security objective. Operational capabilities provide the infrastructure and resources to make these management measures effective.

The effectiveness of measures depends on the quality of operational capabilities, such as:

  • The availability of trained personnel to manage and monitor access requests;
  • Processes for regularly reviewing and updating access rights;
  • Technologies that support multi-factor authentication.

Without the right OCs, management measures could fail, no matter how well designed on paper.

Auditing based on operational capabilities #

Why did Brand Compliance change to auditing an ISMS based on operational capabilities rather than controls? Brand Compliance uses the operational capabilities framework to plan and report audits. Operational capabilities can also provide a more complete picture of the effectiveness of an information security management system.

By focusing audits on OCs, Brand Compliance provides a deeper and broader assessment of security within an organization, leading to a more resilient and secure operational environment.

 

Share This Article :

  • Facebook
  • X
  • LinkedIn
Updated on 21 October 2024
Excelling in information security: best practicesThe Traffic Light Protocol (TLP): what does it mean for you?
Contents
  • What are operational capabilities?
  • What types of operational capabilities does the ISO 27002:2022 cover?
  • What is the relationship between operational capabilities and individual controls?
  • Auditing based on operational capabilities

Accreditation

RvA C548Brand Compliance B.V. has accreditation (C548) to certify ISO 27001, ISO 27701 NEN 7510 and ISO 9001 technical area 33 information technology and 35 other services.

View our accreditations

Contact

Have a question about certification, verification or assurance?

info@brandcompliance.com
+31 (0)73 220 2000

Prefer local contact details?
View our locations

Our locations

‘s-Hertogenbosch, The Netherlands

Antwerp, Belgium

Ottignies-Louvain-la-Neuve, Belgium

Stockholm, Sweden

Dublin, Ireland

Luxembourg, coming soon

Practical information

Privacy statement

Terms and conditions

Company details

Feedback and complaints

 

© Copyright 2026 Brand Compliance