{"id":21464,"date":"2024-10-01T16:32:52","date_gmt":"2024-10-01T14:32:52","guid":{"rendered":"https:\/\/brandcompliance.com\/?post_type=docs&#038;p=21464"},"modified":"2024-10-21T15:10:11","modified_gmt":"2024-10-21T13:10:11","password":"","slug":"operational-capabilities","status":"publish","type":"docs","link":"https:\/\/brandcompliance.com\/en\/docs\/operational-capabilities\/","title":{"rendered":"Operational Capabilities: The Backbone of Information Security"},"content":{"rendered":"<p>In the world of information security, people often talk about management measures and controls. These measures are the building blocks of a security policy that helps organizations protect their information. But there is a deeper layer that is just as important: operational capabilities.<\/p>\n<p>In this blog, we explain what operational capabilities (OCs) are and how they are classified according to ISO 27002:2022. We also explain why Brand Compliance bases its ISO 27001 audits on these capabilities rather than on individual controls.<\/p>\n<h2><img decoding=\"async\" class=\"alignright size-medium wp-image-21465\" src=\"http:\/\/brandcompliance.com\/wp-content\/uploads\/2024\/10\/Operationele-Capaciteiten-1-300x169.webp\" alt=\"Operational Capabilities\" width=\"300\" height=\"169\" srcset=\"https:\/\/brandcompliance.com\/wp-content\/uploads\/2024\/10\/Operationele-Capaciteiten-1-300x169.webp 300w, https:\/\/brandcompliance.com\/wp-content\/uploads\/2024\/10\/Operationele-Capaciteiten-1-360x203.webp 360w, https:\/\/brandcompliance.com\/wp-content\/uploads\/2024\/10\/Operationele-Capaciteiten-1.webp 600w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>What are operational capabilities?<\/h2>\n<p><span class=\"jCAhz ChMk0b\"><span class=\"ryNqvb\">Operational capabilities are an attribute to view controls from the perspective of professionals in information security capabilities.<\/span><\/span> <span class=\"jCAhz ChMk0b\"><span class=\"ryNqvb\">They can form the foundation upon which an organization&#8217;s security controls are built.<\/span><\/span><\/p>\n<p>Operational capabilities include:<\/p>\n<ul>\n<li>Technological resources: The hardware and software required to implement and support security measures.<\/li>\n<li>Human resources: The skills, knowledge and availability of personnel to effectively manage and implement the required measures.<\/li>\n<li>Operational processes: The procedures and workflows designed to implement security measures consistently and repeatedly.<\/li>\n<li>Physical facilities: The physical security and environment in which IT systems are managed and stored.<\/li>\n<\/ul>\n<h2>What types of operational capabilities does the ISO 27002:2022 cover?<\/h2>\n<p>ISO 27002:2022 highlights a wide range of operational capabilities required for an effective information security <a href=\"https:\/\/brandcompliance.com\/en\/docs\/what-is-a-management-system\/\">management system<\/a> (ISMS). The standard divides these capabilities into several categories.<\/p>\n<p>Here are some examples:<\/p>\n<ul>\n<li>Access to systems and data: Controlling who has access to systems and data, and under what circumstances.<\/li>\n<li>Communication security: Protecting the integrity and confidentiality of information during transmission.<\/li>\n<li>Incident management: The capabilities to detect, respond to and recover from security incidents.<\/li>\n<li>Continuity management: The ability to continue critical functions in the event of a disruption or disaster.<\/li>\n<li>Supplier management: Ensuring that third parties comply with the organization&#8217;s security requirements.<\/li>\n<\/ul>\n<h2>What is the relationship between operational capabilities and individual controls?<\/h2>\n<p>Individual management measures are specific actions or controls implemented to achieve a particular security objective. Operational capabilities provide the infrastructure and resources to make these management measures effective.<\/p>\n<p>The effectiveness of measures depends on the quality of operational capabilities, such as:<\/p>\n<ul>\n<li>The availability of trained personnel to manage and monitor access requests;<\/li>\n<li>Processes for regularly reviewing and updating access rights;<\/li>\n<li>Technologies that support multi-factor authentication.<\/li>\n<\/ul>\n<p>Without the right OCs, management measures could fail, no matter how well designed on paper.<\/p>\n<h2>Auditing based on operational capabilities<\/h2>\n<p><span class=\"jCAhz ChMk0b\"><span class=\"ryNqvb\">Why did Brand Compliance change to auditing an ISMS based on operational capabilities rather than controls?<\/span><\/span> <span class=\"jCAhz ChMk0b\"><span class=\"ryNqvb\">Brand Compliance uses the operational capabilities framework to plan and report audits.<\/span><\/span> <span class=\"jCAhz ChMk0b\"><span class=\"ryNqvb\">Operational capabilities can also provide a more complete picture of the effectiveness of an information security management system.<\/span><\/span><\/p>\n<p>By focusing <a href=\"https:\/\/brandcompliance.com\/en\/docs\/internal-or-external-audit\/\">audits<\/a> on OCs, Brand Compliance provides a deeper and broader assessment of security within an organization, leading to a more resilient and secure operational environment.<\/p>\n<p>&nbsp;<\/p>\n<div id=\"gtx-trans\" style=\"position: absolute; left: 143px; top: 1135px;\">\n<div class=\"gtx-trans-icon\"><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In the world of information security, people often talk about management measures and controls. These measures are the building blocks of a security policy that&#8230;<\/p>\n","protected":false},"author":6,"featured_media":21465,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"doc_category":[2345],"doc_tag":[],"class_list":["post-21464","docs","type-docs","status-publish","has-post-thumbnail","hentry","doc_category-audits-information-security"],"acf":[],"year_month":"2026-04","word_count":451,"total_views":"3047","reactions":{"happy":"0","normal":"0","sad":"0"},"author_info":{"name":"Anika","author_nicename":"anika","author_url":"https:\/\/brandcompliance.com\/en\/author\/anika\/"},"doc_category_info":[{"term_name":"Audits information security","term_url":"https:\/\/brandcompliance.com\/en\/docs-category\/audits-information-security\/"}],"doc_tag_info":[],"knowledge_base_info":[],"knowledge_base_slug":[],"_links":{"self":[{"href":"https:\/\/brandcompliance.com\/en\/wp-json\/wp\/v2\/docs\/21464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/brandcompliance.com\/en\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/brandcompliance.com\/en\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/brandcompliance.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/brandcompliance.com\/en\/wp-json\/wp\/v2\/comments?post=21464"}],"version-history":[{"count":0,"href":"https:\/\/brandcompliance.com\/en\/wp-json\/wp\/v2\/docs\/21464\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/brandcompliance.com\/en\/wp-json\/wp\/v2\/media\/21465"}],"wp:attachment":[{"href":"https:\/\/brandcompliance.com\/en\/wp-json\/wp\/v2\/media?parent=21464"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/brandcompliance.com\/en\/wp-json\/wp\/v2\/doc_category?post=21464"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/brandcompliance.com\/en\/wp-json\/wp\/v2\/doc_tag?post=21464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}