ISO 27001:2022 Operational Capabilities
ISO 27001 Operational Capabilities
The ISO 27001 standard includes attributes that allow organizations to create structured views of controls. One of these attributes, “Operational Capabilities,” groups controls based on the functional areas of security management. This approach complements other ISO 27001 processes such as risk assessment, continuous improvement, and performance evaluation.

Governance
5. Organizational
A.5.01 | Policies for information security |
A.5.02 | Information security roles and responsibilities |
A.5.03 | Segregation of duties |
A.5.04 | Management responsibilities |
A.5.05 | Contact with authorities |
A.5.06 | Contact with special interest groups |
A.5.08 | Information security in project management |
A.5.24 | Information security incident management responsibilities and preparation |
6. People
N/A
7. Physical
N/A
8. Technological
N/A
Asset Management
5. Organizational
7. Physical
Information Protection
5. Organizational
7. Physical
N/A
Human Resource Security
5. Organizational
N/A
6. People
7. Physical
N/A
8. Technological
N/A
Physical Security
5. Organizational
A.5.37 | Documented operating procedures |
6. People
A.6.7 | Remote working |
7. Physical
A.7.01 | Physical security perimeter |
A.7.02 | Physical entry |
A.7.03 | Security offices, rooms and facilities |
A.7.04 | Physical security monitoring |
A.7.05 | Protecting against physical and environmental threats |
A.7.06 | Working in secure areas |
A.7.07 | Clear desk and clear screen |
A.7.08 | Equipment siting and protection |
A.7.09 | Security of assets off-premises |
A.7.10 | Storage media |
A.7.11 | Supporting utilities |
A.7.12 | Cabling security |
A.7.13 | Equipment maintenance |
A.7.14 | Secure disposal or re-use of equipment |
8. Technological
N/A
System and Network Security
5. Organizational
A.5.37 | Documented operating procedures |
6. People
A.6.7 | Remote working |
7. Physical
N/A
8. Technological
A.8.07 | Protection against malware |
A.8.18 | Use of privileged utility programs |
A.8.20 | Network security |
A.8.21 | Security of network services |
A.8.22 | Segregation of networks |
A.8.23 | Web filtering |
A.8.25 | Secure development lifecycle |
A.8.26 | Application security requirements |
A.8.27 | Secure system architecture and engineering principles |
A.8.28 | Secure coding |
A.8.29 | Security testing in development and acceptance |
A.8.30 | Outsourced development |
A.8.31 | Separation of development, test and production environments |
A.8.32 | Change management |
A.8.34 | Protection of information systems during audit and testing |
Application Security
5. Organizational
A.5.37 | Documented operating procedures |
6. People
N/A
7. Physical
N/A
8. Technological
A.8.04 | Access to source code |
A.8.18 | Use of privileged utility programs |
A.8.19 | Installation of software on operational systems |
A.8.25 | Secure development lifecycle |
A.8.26 | Application security requirements |
A.8.27 | Secure system architecture and engineering principles |
A.8.28 | Secure coding |
A.8.29 | Security testing in development and acceptance |
A.8.30 | Outsourced development |
A.8.31 | Separation of development, test and production environments |
A.8.32 | Change management |
Secure Configuration
Identity and Access Management
Continuity
Supplier Relationships Security
Legal and Compliance
5. Organizational
6. People
N/A
7. Physical
N/A
8. Technological
N/A
Information Security Event Management
Introduction to Operational Capabilities in ISO 27001
Operational Capabilities in ISO 27001 provide a practitioner-focused way to categorize and manage security controls. When you classify controls according to operational functions, you can improve clarity, accountability, and effectiveness in your organization’s security approach. This categorization aligns security tasks with your team’s day-to-day responsibilities.
Using the Operational Capabilities attribute, you can manage a diverse range of security measures in a coordinated manner. Each capability aligns with a set of controls in Annex A, helping your organization decide how best to deploy and monitor those controls.
15 Operational Capabilities
Below is a detailed exploration of the 15 Operational Capabilities as defined by ISO 27001. Each capability represents a key functional area where security controls can be grouped and managed. Viewing controls through these categories can help your organization assign responsibilities more effectively and ensure complete coverage of information security needs.
1. Governance
Definition
Governance provides the strategic framework that guides information security activities. It covers policies, roles, and decision-making processes that define how security objectives align with overall business goals.
Key Considerations
- Leadership Commitment: Management must demonstrate support through resource allocation and consistent communication.
- Strategic Alignment: Security objectives should directly support organizational goals.
- Policy Framework: Create and maintain policies for risk management, acceptable use, and data classification.
Example Controls
- Establishing a formal Information Security Policy and ensuring it is reviewed regularly.
- Defining roles such as a Chief Information Security Officer (CISO) or security committee.
- Implementing a governance structure that includes periodic management reviews.
2. Asset Management
Definition
Asset Management addresses how your organization identifies, classifies, tracks, and protects information assets, which can include data, software, and hardware.
Key Considerations
- Identification: Develop an inventory that captures each asset’s type, location, and owner.
- Classification: Categorize assets according to sensitivity or criticality.
- Lifecycle Management: Incorporate secure handling procedures from acquisition to disposal.
Example Controls
- Maintaining an up-to-date asset register with defined owners.
- Labeling documents and media based on classification levels.
- Securing asset disposal or recycling to prevent unauthorized data recovery.
3. Information Protection
Definition
Information Protection involves safeguarding data in all forms, whether stored, in transit, or in use. This capability ensures that confidentiality, integrity, and availability remain intact throughout the data lifecycle.
Key Considerations
- Data Encryption: Use encryption methods to protect sensitive information.
- Data Handling Guidelines: Provide clear instructions on how to store, transfer, and share information.
- Access Controls: Ensure only authorized personnel can view or modify specific data.
Example Controls
- Encrypting data at rest on servers and backup media.
- Applying secure file transfer protocols (SFTP or HTTPS).
- Employing data loss prevention (DLP) solutions to monitor data movement.
4. Human Resource Security
Definition
Human Resource Security focuses on people-related aspects of your security program. It spans from hiring practices to ongoing training and termination procedures.
Key Considerations
- Pre-Employment Screening: Follow relevant regulations for background checks.
- Security Awareness: Provide regular, role-based training on security policies.
- Termination or Role Change: Revoke or adjust access rights as soon as an employee leaves or changes position.
Example Controls
- Conducting reference checks and verifying professional credentials for new hires.
- Running mandatory security briefings for all staff and contractors.
- Deleting or updating user accounts immediately upon role change or departure.
5. Physical Security
Definition
Physical Security protects your facilities, hardware, and infrastructure from unauthorized physical access, damage, or interference.
Key Considerations
- Perimeter Defenses: Use gates, fences, and security guards where necessary.
- Controlled Access: Employ locks, biometric systems, or smart cards for secure areas.
- Environmental Controls: Monitor temperature, humidity, and fire detection systems.
Example Controls
- Logging visitor entry and exit through a reception desk or electronic system.
- Installing CCTV cameras in critical areas such as server rooms.
- Testing fire suppression systems and emergency power supplies regularly.
6. System and Network Security
Definition
System and Network Security includes measures that protect the technical infrastructure supporting your organization’s operations.
Key Considerations
- Network Segmentation: Divide your network into zones (e.g., internal, DMZ, guest) to reduce lateral movement in case of a breach.
- Intrusion Detection and Prevention: Monitor network traffic for malicious activity.
- Secure Communication: Use VPNs for remote access and encrypted protocols where possible.
Example Controls
- Configuring firewalls with strict inbound and outbound rules.
- Deploying intrusion detection systems (IDS) or intrusion prevention systems (IPS).
- Implementing secure remote access solutions, like a virtual private network.
7. Application Security
Definition
Application Security focuses on building and maintaining secure software, including websites, mobile apps, and internally developed applications.
Key Considerations
- Secure Development Lifecycle (SDLC): Embed security checks during design, coding, testing, and deployment.
- Code Review and Testing: Perform static and dynamic code analyses to catch vulnerabilities.
- Patch Management: Update applications to address discovered weaknesses.
Example Controls
- Establishing secure coding guidelines based on best practices.
- Running penetration tests on high-risk or externally facing applications.
- Using automated tools to scan code repositories for known security flaws.
8. Secure Configuration
Definition
Secure Configuration involves defining and maintaining secure settings for servers, workstations, mobile devices, and other systems.
Key Considerations
- Baseline Standards: Document and maintain a set of secure defaults for various system types.
- Configuration Management: Control changes to configuration to prevent drifting into insecure states.
- Hardening: Remove unnecessary software, disable unneeded ports, and close default accounts.
Example Controls
- Applying standardized images for new system deployments.
- Conducting regular configuration audits using automated scripts.
- Establishing a change control process to review and approve configuration updates.
9. Identity and Access Management
Definition
Identity and Access Management (IAM) governs how users are authenticated and authorized to access various systems and data.
Key Considerations
- Credential Management: Store passwords securely and enforce rotation or expiration policies.
- Access Provisioning: Grant permissions based on the user’s role and responsibilities.
- Multifactor Authentication: Add an extra layer of security for high-risk applications or data.
Example Controls
- Enforcing strong password policies and password managers.
- Revisiting user access rights periodically to match job roles.
- Utilizing single sign-on (SSO) where feasible to reduce complexity.
10. Threat and Vulnerability Management
Definition
Threat and Vulnerability Management focuses on identifying, assessing, and mitigating potential security risks before they affect operations.
Key Considerations
- Regular Scanning: Use automated tools to detect known vulnerabilities in networks and applications.
- Threat Intelligence: Keep track of emerging threats and adjust defense strategies accordingly.
- Remediation: Prioritize and fix discovered vulnerabilities based on criticality.
Example Controls
- Scheduling monthly or quarterly vulnerability scans.
- Using penetration testing to uncover complex attack vectors.
- Applying vendor security patches promptly, especially for critical systems.
11. Continuity
Definition
Continuity focuses on your organization’s ability to maintain or quickly resume critical functions during and after disruptions.
Key Considerations
- Business Continuity Plan (BCP): Identify essential functions and required resources to keep the business running.
- Disaster Recovery Plan (DRP): Outline how to recover IT infrastructure and data after an incident.
- Testing and Exercises: Conduct drills to ensure staff understand roles and procedures.
Example Controls
- Regularly backing up data to an offsite or cloud location.
- Testing failover systems to validate recovery times.
- Maintaining redundant infrastructure for critical applications.
12. Supplier Relationships Security
Definition
Supplier Relationships Security deals with managing and monitoring third parties that interact with your organization’s data or systems.
Key Considerations
- Due Diligence: Evaluate potential suppliers for their security posture before onboarding.
- Contractual Obligations: Specify security requirements and responsibilities in written agreements.
- Ongoing Monitoring: Periodically assess suppliers to confirm they maintain agreed-upon security standards.
Example Controls
- Creating a vendor risk assessment checklist to ensure consistent evaluations.
- Requiring suppliers to notify your organization promptly if they experience a breach.
- Conducting annual audits or compliance reviews for high-risk vendors.
13. Legal and Compliance
Definition
Legal and Compliance ensures that your organization meets all relevant laws, regulations, and contractual commitments related to information security and privacy.
Key Considerations
- Regulatory Awareness: Stay updated on changes to data protection, privacy, and industry-specific regulations.
- Internal Policies: Align internal policies with external legal requirements.
- Documented Evidence: Maintain records of compliance activities for audits and legal inquiries.
Example Controls
- Mapping controls to regulatory clauses to show compliance.
- Reviewing contracts to ensure they include relevant security and privacy terms.
- Establishing a breach notification procedure that meets legal obligations.
14. Information Security Event Management
Definition
Information Security Event Management focuses on detecting, reporting, analyzing, and responding to security incidents to minimize harm.
Key Considerations
- Logging and Monitoring: Collect and review logs for unusual activity.
- Incident Response Plan: Define roles, responsibilities, and escalation paths when events occur.
- Root Cause Analysis: Determine underlying reasons for incidents and apply lessons learned.
Example Controls
- Setting up a Security Information and Event Management (SIEM) system to correlate alerts.
- Classifying events based on severity to guide response actions.
- Conducting post-incident reviews to identify future preventative measures.
15. Information Security Assurance
Definition
Information Security Assurance measures how effectively your implemented controls achieve their intended outcomes. It involves evaluations such as audits, assessments, and continuous improvement.
Key Considerations
- Audit Schedule: Plan internal or external audits periodically to maintain impartial reviews.
- Gap Analysis: Identify shortfalls in existing controls against benchmarks or frameworks.
- Continual Improvement: Modify and enhance controls based on audit findings and changing risk landscapes.
Example Controls
- Documenting formal audit programs that outline scope and methods.
- Performing readiness assessments before external certifications.
- Reviewing assessment results with management to prioritize next steps.
Benefits of an Operational Capabilities View
Taking an Operational Capabilities view helps your organization in three primary ways:
- Clarity
This structure provides a practical focus for staff. Teams can quickly identify which capabilities they are responsible for, making it easier to track progress. - Resource Alignment
By grouping controls under operational functions, you can allocate personnel, budget, and time more effectively. Each security area will have clear ownership. - Practical Application
A capabilities-based approach simplifies implementation by tying controls to day-to-day tasks. Practitioners can see how each control directly supports their operational responsibilities.
Common Challenges and Mitigation Strategies
When implementing the Operational Capabilities approach in your organization, you may encounter several challenges that can affect the success of your information security program. Below is a detailed overview of typical obstacles, along with practical strategies to address them.
Overlap Between Capabilities
Challenge
Some security controls may naturally fit into more than one operational capability. For example, a control related to user access might fall under both “Identity and Access Management” and “Human Resource Security.” This overlap can create confusion about which team is responsible for implementation and ongoing management.
Mitigation Strategies
- Define Clear Ownership: Use a responsibility matrix (such as a RACI chart) to specify which department or individual is accountable for each control.
- Document Dual or Shared Responsibilities: When a control spans multiple capabilities, outline how the collaborating teams will coordinate.
- Regular Review Sessions: Hold periodic meetings to confirm that overlapping controls continue to be managed effectively and that no gaps have emerged.
Resource Constraints
Challenge
Developing, implementing, and maintaining all necessary controls across 15 operational capabilities can strain budgets, personnel, and available technologies. Smaller organizations or those with limited cybersecurity staff may find it particularly challenging to allocate enough resources.
Mitigation Strategies
- Prioritize High-Risk Areas: Identify which capabilities are most critical to your operations and address them first.
- Leverage Existing Technologies: Integrate controls into current tools and processes instead of purchasing entirely new solutions.
- Seek Cross-Functional Support: Collaborate with other departments (e.g., IT, Legal, Finance) to pool resources and share responsibilities.
- Phase Implementation: Roll out controls in stages, allowing your organization to manage costs and workload more effectively.
Organizational Resistance
Challenge
Operational teams may perceive the introduction of a new framework or categorization method as extra work or an unnecessary complication. Resistance can stem from a lack of awareness, fear of accountability, or general hesitancy to change established procedures.
Mitigation Strategies
- Provide Clear Training: Offer role-specific guidance and explain how each operational capability simplifies daily tasks or reduces risk.
- Communicate Benefits: Emphasize how the approach clarifies responsibilities, enhances collaboration, and leads to better security outcomes.
- Obtain Executive Endorsement: Having support from top management can help influence organizational culture and encourage positive reception.
- Start Small: Introduce the framework in a single department or project before expanding to the entire organization, showcasing early successes.
Changing Risk Profile
Challenge
Cyber threats and vulnerabilities change rapidly. The capabilities you prioritize today might shift in importance if new tactics or technologies emerge. Without regular updates, your security measures can become outdated.
Mitigation Strategies
- Conduct Frequent Risk Assessments: Revisit your threat analysis and vulnerability scans to stay informed about emerging issues.
- Maintain a Security Roadmap: Document planned improvements and regularly update them based on evolving risks.
- Leverage Threat Intelligence: Use internal and external sources to receive timely information on new vulnerabilities, attacks, or regulatory changes.
- Perform Ongoing Training: Keep staff informed about recent threat trends and encourage them to adapt controls as necessary.
Complexity of Regulatory Requirements
Challenge
Organizations often need to comply with multiple regulatory frameworks, each with its own detailed requirements. Certain controls may need to align with multiple regulations, leading to complex reporting obligations and overlapping audits.
Mitigation Strategies
- Map Controls to Regulations: Create a matrix that shows how each operational capability and control satisfies different regulatory requirements.
- Streamline Documentation: Use consistent reporting formats and central repositories to store evidence of compliance.
- Audit Coordination: If possible, schedule audits and assessments in ways that reduce duplication.
- Stay Updated: Monitor changes in legislation or standards and adjust controls and processes accordingly.
Maintaining Staff Awareness
Challenge
Over time, staff may become complacent or forget key policies and procedures, especially if they are not regularly reminded. Without consistent engagement, security can degrade, and training may not remain top of mind.
Mitigation Strategies
- Regular Training Sessions: Offer concise, periodic refreshers or microlearning modules to keep security knowledge current.
- Awareness Campaigns: Display visual reminders such as posters and digital notifications that reinforce best practices.
- Simulated Exercises: Run drills (e.g., phishing simulations) to evaluate staff responses and identify areas needing improvement.
- Tailored Content: Customize training for different roles, focusing on the specific security controls and risks relevant to each team.
Third-Party Dependencies
Challenge
Security often depends on external vendors, suppliers, or cloud service providers. If these third parties do not meet your required standards, your organization’s risk exposure increases.
Mitigation Strategies
- Vendor Risk Assessments: Evaluate prospective and existing suppliers based on their security posture and practices.
- Contractual Clauses: Include clear security and data protection obligations in all service agreements.
- Continuous Monitoring: Regularly review vendor performance, service levels, and security incidents.
- Collaborative Improvement: Work with suppliers to address identified weaknesses and align security standards over time.
Maintaining Ongoing Continuous Improvement
Challenge
Even the most robust security program can degrade if not regularly maintained and refined. Without a structured process for continuous improvement, controls may no longer align with organizational growth or changing risk environments.
Mitigation Strategies
- Plan-Do-Check-Act Cycle: Integrate a formal continuous improvement model to review and optimize controls regularly.
- Periodic Internal Audits: Assess operational capabilities on a set schedule to find gaps and inefficiencies.
- Management Reviews: Hold leadership-level discussions to evaluate audit findings, agree on improvement actions, and track progress.
- Feedback Loops: Encourage staff to report issues or suggest enhancements to any control, promoting a culture of shared security responsibility.
Templates That Could Help
If you are using or offering security documentation templates, the following examples can support your implementation:
- Risk Assessment Template: Align risk identification with the relevant operational capability.
- Control Implementation Checklist: Track progress for each capability to ensure no areas are overlooked.
- Security Policy Template: Define policy statements that address each operational capability.
- Incident Response Plan Template: Map response actions to specific capabilities like Information Security Event Management.
- Vendor Assessment Checklist: Evaluate supplier security practices, addressing Supplier Relationships Security.
- Business Continuity Plan Template: Document recovery strategies in line with Continuity.
Conclusion
Operational Capabilities in ISO 27001 enable you to group controls in a way that aligns with functional duties, making security implementation more direct and comprehensible for those responsible. This approach clarifies roles, highlights coverage gaps, and supports efficient resource allocation.
When you adopt the Operational Capabilities view, you gain a practical framework that complements the broader ISO 27001 requirements. The ability to categorize and manage controls by operational function helps ensure that security becomes part of everyday operations rather than an afterthought.