ISO 27001:2022 Operational Capabilities

ISO 27001 Operational Capabilities

The ISO 27001 standard includes attributes that allow organizations to create structured views of controls. One of these attributes, “Operational Capabilities,” groups controls based on the functional areas of security management. This approach complements other ISO 27001 processes such as risk assessment, continuous improvement, and performance evaluation.

Iso 27001 Operational Capabilities

Governance

A.5.01Policies for information security
A.5.02Information security roles and responsibilities
A.5.03Segregation of duties
A.5.04Management responsibilities
A.5.05Contact with authorities
A.5.06Contact with special interest groups
A.5.08Information security in project management
A.5.24Information security incident management responsibilities and preparation

N/A

N/A

N/A

 

Asset Management

A.5.09Inventory of information and other associated assets
A.5.10Acceptable use of information and associated assets
A.5.11Return of assets
A.5.14Information transfer
A.5.33Protection of records
A.5.37Documented operating procedures
A.6.5Responsibilities after termination or change of employment
A.6.7Remote working
A.7.03Security offices, rooms and facilities
A.7.08Equipment siting and protection
A.7.09Security of assets off-premises
A.7.10Storage media
A.7.13Equipment maintenance
A.7.14Secure disposal or re-use of equipment
A.8.01User endpoint devices
A.8.14Redundancy of information processing facilities

 

Information Protection

A.5.10Acceptable use of information and associated assets
A.5.12Classification of information
A.5.14Information transfer
A.5.33Protection of records
A.5.34Privacy and protection of PII
A.6.6Confidentiality or non-disclosure agreements
A.6.7Remote working

 

N/A

 

A.8.01User endpoint devices
A.8.07Protection against malware
A.8.09Configuration management
A.8.10Information deletion
A.8.11Data masking
A.8.12Data leakage prevention
A.8.33Test information
A.8.34Protection of information systems during audit and testing

 

Human Resource Security

N/A

A.6.1Screening
A.6.2Terms and conditions of employment
A.6.3Information security awareness, education and training
A.6.4Disciplinary process
A.6.5Responsibilities after termination or change of employment
A.6.6Confidentiality or non-disclosure agreements

N/A

N/A

Physical Security

A.5.37Documented operating procedures
A.6.7Remote working
A.7.01Physical security perimeter
A.7.02Physical entry
A.7.03Security offices, rooms and facilities
A.7.04Physical security monitoring
A.7.05Protecting against physical and environmental threats
A.7.06Working in secure areas
A.7.07Clear desk and clear screen
A.7.08Equipment siting and protection
A.7.09Security of assets off-premises
A.7.10Storage media
A.7.11Supporting utilities
A.7.12Cabling security
A.7.13Equipment maintenance
A.7.14Secure disposal or re-use of equipment

N/A

System and Network Security

A.5.37Documented operating procedures
A.6.7Remote working

N/A

A.8.07Protection against malware
A.8.18Use of privileged utility programs
A.8.20Network security
A.8.21Security of network services
A.8.22Segregation of networks
A.8.23Web filtering
A.8.25Secure development lifecycle
A.8.26Application security requirements
A.8.27Secure system architecture and engineering principles
A.8.28Secure coding
A.8.29Security testing in development and acceptance
A.8.30Outsourced development
A.8.31Separation of development, test and production environments
A.8.32Change management
A.8.34Protection of information systems during audit and testing

 

Application Security

A.5.37Documented operating procedures

N/A

N/A

 

A.8.04Access to source code
A.8.18Use of privileged utility programs
A.8.19Installation of software on operational systems
A.8.25Secure development lifecycle
A.8.26Application security requirements
A.8.27Secure system architecture and engineering principles
A.8.28Secure coding
A.8.29Security testing in development and acceptance
A.8.30Outsourced development
A.8.31Separation of development, test and production environments
A.8.32Change management

 

Secure Configuration

A.5.37Documented operating procedures

N/A

 

N/A

 

A.8.04Access to source code
A.8.18Use of privileged utility programs
A.8.19Installation of software on operational systems
A.8.24Use of cryptography

 

Identity and Access Management

A.5.03Segregation of duties
A.5.15Access control
A.5.16Identity management
A.5.17Authentication information
A.5.18Access rights
A.5.37Documented operating procedures

N/A

 

A.7.02Physical entry
A.8.02Privileged access rights
A.8.03Information access restriction
A.8.04Access to source code
A.8.05Secure authentication

 

Threat and Vulnerability Management

A.5.07Threat intelligence
A.5.37Documented operating procedures

N/A

N/A

A.8.08Management of technical vulnerabilities

 

Continuity

A.5.29Information security during disruption
A.5.30ICT readiness for business continuity
A.5.37Documented operating procedures

N/A

N/A

A.8.06Capacity management
A.8.13Information backup
A.8.14Redundancy of information processing facilities

 

Supplier Relationships Security

A.5.19Information security in supplier relationships
A.5.20Addressing information security within supplier agreements
A.5.21Managing information security in the ICT supply chain
A.5.22Monitoring, review and change management of supplier services
A.5.23Information security for use of cloud services

 

A.6.6Confidentiality or non-disclosure agreements

N/A

 

A.8.29Security testing in development and acceptance
A.8.30Outsourced development

 

Legal and Compliance

A.5.31Identification of legal, statutory, regulatory and contractual requirements
A.5.32Intellectual property rights
A.5.33Protection of records
A.5.34Privacy and protection of PII
A.5.36Compliance with policies and standards for information security

N/A

N/A

 

N/A

Information Security Event Management

A.5.37Documented operating procedures
A.6.8Information security event reporting

 

N/A

A.8.15Logging
A.8.16Monitoring activities
A.8.17Clock Synchronization

 

Information Security Assurance

A.5.22Monitoring, review and change management of supplier services
A.5.35Independent review of information security
A.5.36Compliance with policies and standards for information security

N/A

N/A

N/A

Introduction to Operational Capabilities in ISO 27001

Operational Capabilities in ISO 27001 provide a practitioner-focused way to categorize and manage security controls. When you classify controls according to operational functions, you can improve clarity, accountability, and effectiveness in your organization’s security approach. This categorization aligns security tasks with your team’s day-to-day responsibilities.

Using the Operational Capabilities attribute, you can manage a diverse range of security measures in a coordinated manner. Each capability aligns with a set of controls in Annex A, helping your organization decide how best to deploy and monitor those controls.

15 Operational Capabilities

Below is a detailed exploration of the 15 Operational Capabilities as defined by ISO 27001. Each capability represents a key functional area where security controls can be grouped and managed. Viewing controls through these categories can help your organization assign responsibilities more effectively and ensure complete coverage of information security needs.


1. Governance

Definition
Governance provides the strategic framework that guides information security activities. It covers policies, roles, and decision-making processes that define how security objectives align with overall business goals.

Key Considerations

  • Leadership Commitment: Management must demonstrate support through resource allocation and consistent communication.
  • Strategic Alignment: Security objectives should directly support organizational goals.
  • Policy Framework: Create and maintain policies for risk management, acceptable use, and data classification.

Example Controls

  • Establishing a formal Information Security Policy and ensuring it is reviewed regularly.
  • Defining roles such as a Chief Information Security Officer (CISO) or security committee.
  • Implementing a governance structure that includes periodic management reviews.

2. Asset Management

Definition
Asset Management addresses how your organization identifies, classifies, tracks, and protects information assets, which can include data, software, and hardware.

Key Considerations

  • Identification: Develop an inventory that captures each asset’s type, location, and owner.
  • Classification: Categorize assets according to sensitivity or criticality.
  • Lifecycle Management: Incorporate secure handling procedures from acquisition to disposal.

Example Controls

  • Maintaining an up-to-date asset register with defined owners.
  • Labeling documents and media based on classification levels.
  • Securing asset disposal or recycling to prevent unauthorized data recovery.

3. Information Protection

Definition
Information Protection involves safeguarding data in all forms, whether stored, in transit, or in use. This capability ensures that confidentiality, integrity, and availability remain intact throughout the data lifecycle.

Key Considerations

  • Data Encryption: Use encryption methods to protect sensitive information.
  • Data Handling Guidelines: Provide clear instructions on how to store, transfer, and share information.
  • Access Controls: Ensure only authorized personnel can view or modify specific data.

Example Controls

  • Encrypting data at rest on servers and backup media.
  • Applying secure file transfer protocols (SFTP or HTTPS).
  • Employing data loss prevention (DLP) solutions to monitor data movement.

4. Human Resource Security

Definition
Human Resource Security focuses on people-related aspects of your security program. It spans from hiring practices to ongoing training and termination procedures.

Key Considerations

  • Pre-Employment Screening: Follow relevant regulations for background checks.
  • Security Awareness: Provide regular, role-based training on security policies.
  • Termination or Role Change: Revoke or adjust access rights as soon as an employee leaves or changes position.

Example Controls

  • Conducting reference checks and verifying professional credentials for new hires.
  • Running mandatory security briefings for all staff and contractors.
  • Deleting or updating user accounts immediately upon role change or departure.

5. Physical Security

Definition
Physical Security protects your facilities, hardware, and infrastructure from unauthorized physical access, damage, or interference.

Key Considerations

  • Perimeter Defenses: Use gates, fences, and security guards where necessary.
  • Controlled Access: Employ locks, biometric systems, or smart cards for secure areas.
  • Environmental Controls: Monitor temperature, humidity, and fire detection systems.

Example Controls

  • Logging visitor entry and exit through a reception desk or electronic system.
  • Installing CCTV cameras in critical areas such as server rooms.
  • Testing fire suppression systems and emergency power supplies regularly.

6. System and Network Security

Definition
System and Network Security includes measures that protect the technical infrastructure supporting your organization’s operations.

Key Considerations

  • Network Segmentation: Divide your network into zones (e.g., internal, DMZ, guest) to reduce lateral movement in case of a breach.
  • Intrusion Detection and Prevention: Monitor network traffic for malicious activity.
  • Secure Communication: Use VPNs for remote access and encrypted protocols where possible.

Example Controls

  • Configuring firewalls with strict inbound and outbound rules.
  • Deploying intrusion detection systems (IDS) or intrusion prevention systems (IPS).
  • Implementing secure remote access solutions, like a virtual private network.

7. Application Security

Definition
Application Security focuses on building and maintaining secure software, including websites, mobile apps, and internally developed applications.

Key Considerations

  • Secure Development Lifecycle (SDLC): Embed security checks during design, coding, testing, and deployment.
  • Code Review and Testing: Perform static and dynamic code analyses to catch vulnerabilities.
  • Patch Management: Update applications to address discovered weaknesses.

Example Controls

  • Establishing secure coding guidelines based on best practices.
  • Running penetration tests on high-risk or externally facing applications.
  • Using automated tools to scan code repositories for known security flaws.

8. Secure Configuration

Definition
Secure Configuration involves defining and maintaining secure settings for servers, workstations, mobile devices, and other systems.

Key Considerations

  • Baseline Standards: Document and maintain a set of secure defaults for various system types.
  • Configuration Management: Control changes to configuration to prevent drifting into insecure states.
  • Hardening: Remove unnecessary software, disable unneeded ports, and close default accounts.

Example Controls

  • Applying standardized images for new system deployments.
  • Conducting regular configuration audits using automated scripts.
  • Establishing a change control process to review and approve configuration updates.

9. Identity and Access Management

Definition
Identity and Access Management (IAM) governs how users are authenticated and authorized to access various systems and data.

Key Considerations

  • Credential Management: Store passwords securely and enforce rotation or expiration policies.
  • Access Provisioning: Grant permissions based on the user’s role and responsibilities.
  • Multifactor Authentication: Add an extra layer of security for high-risk applications or data.

Example Controls

  • Enforcing strong password policies and password managers.
  • Revisiting user access rights periodically to match job roles.
  • Utilizing single sign-on (SSO) where feasible to reduce complexity.

10. Threat and Vulnerability Management

Definition
Threat and Vulnerability Management focuses on identifying, assessing, and mitigating potential security risks before they affect operations.

Key Considerations

  • Regular Scanning: Use automated tools to detect known vulnerabilities in networks and applications.
  • Threat Intelligence: Keep track of emerging threats and adjust defense strategies accordingly.
  • Remediation: Prioritize and fix discovered vulnerabilities based on criticality.

Example Controls

  • Scheduling monthly or quarterly vulnerability scans.
  • Using penetration testing to uncover complex attack vectors.
  • Applying vendor security patches promptly, especially for critical systems.

11. Continuity

Definition
Continuity focuses on your organization’s ability to maintain or quickly resume critical functions during and after disruptions.

Key Considerations

  • Business Continuity Plan (BCP): Identify essential functions and required resources to keep the business running.
  • Disaster Recovery Plan (DRP): Outline how to recover IT infrastructure and data after an incident.
  • Testing and Exercises: Conduct drills to ensure staff understand roles and procedures.

Example Controls

  • Regularly backing up data to an offsite or cloud location.
  • Testing failover systems to validate recovery times.
  • Maintaining redundant infrastructure for critical applications.

12. Supplier Relationships Security

Definition
Supplier Relationships Security deals with managing and monitoring third parties that interact with your organization’s data or systems.

Key Considerations

  • Due Diligence: Evaluate potential suppliers for their security posture before onboarding.
  • Contractual Obligations: Specify security requirements and responsibilities in written agreements.
  • Ongoing Monitoring: Periodically assess suppliers to confirm they maintain agreed-upon security standards.

Example Controls

  • Creating a vendor risk assessment checklist to ensure consistent evaluations.
  • Requiring suppliers to notify your organization promptly if they experience a breach.
  • Conducting annual audits or compliance reviews for high-risk vendors.

13. Legal and Compliance

Definition
Legal and Compliance ensures that your organization meets all relevant laws, regulations, and contractual commitments related to information security and privacy.

Key Considerations

  • Regulatory Awareness: Stay updated on changes to data protection, privacy, and industry-specific regulations.
  • Internal Policies: Align internal policies with external legal requirements.
  • Documented Evidence: Maintain records of compliance activities for audits and legal inquiries.

Example Controls

  • Mapping controls to regulatory clauses to show compliance.
  • Reviewing contracts to ensure they include relevant security and privacy terms.
  • Establishing a breach notification procedure that meets legal obligations.

14. Information Security Event Management

Definition
Information Security Event Management focuses on detecting, reporting, analyzing, and responding to security incidents to minimize harm.

Key Considerations

  • Logging and Monitoring: Collect and review logs for unusual activity.
  • Incident Response Plan: Define roles, responsibilities, and escalation paths when events occur.
  • Root Cause Analysis: Determine underlying reasons for incidents and apply lessons learned.

Example Controls

  • Setting up a Security Information and Event Management (SIEM) system to correlate alerts.
  • Classifying events based on severity to guide response actions.
  • Conducting post-incident reviews to identify future preventative measures.

15. Information Security Assurance

Definition
Information Security Assurance measures how effectively your implemented controls achieve their intended outcomes. It involves evaluations such as audits, assessments, and continuous improvement.

Key Considerations

  • Audit Schedule: Plan internal or external audits periodically to maintain impartial reviews.
  • Gap Analysis: Identify shortfalls in existing controls against benchmarks or frameworks.
  • Continual Improvement: Modify and enhance controls based on audit findings and changing risk landscapes.

Example Controls

  • Documenting formal audit programs that outline scope and methods.
  • Performing readiness assessments before external certifications.
  • Reviewing assessment results with management to prioritize next steps.

Benefits of an Operational Capabilities View

Taking an Operational Capabilities view helps your organization in three primary ways:

  1. Clarity
    This structure provides a practical focus for staff. Teams can quickly identify which capabilities they are responsible for, making it easier to track progress.
  2. Resource Alignment
    By grouping controls under operational functions, you can allocate personnel, budget, and time more effectively. Each security area will have clear ownership.
  3. Practical Application
    A capabilities-based approach simplifies implementation by tying controls to day-to-day tasks. Practitioners can see how each control directly supports their operational responsibilities.

Common Challenges and Mitigation Strategies

When implementing the Operational Capabilities approach in your organization, you may encounter several challenges that can affect the success of your information security program. Below is a detailed overview of typical obstacles, along with practical strategies to address them.


Overlap Between Capabilities

Challenge
Some security controls may naturally fit into more than one operational capability. For example, a control related to user access might fall under both “Identity and Access Management” and “Human Resource Security.” This overlap can create confusion about which team is responsible for implementation and ongoing management.

Mitigation Strategies

  • Define Clear Ownership: Use a responsibility matrix (such as a RACI chart) to specify which department or individual is accountable for each control.
  • Document Dual or Shared Responsibilities: When a control spans multiple capabilities, outline how the collaborating teams will coordinate.
  • Regular Review Sessions: Hold periodic meetings to confirm that overlapping controls continue to be managed effectively and that no gaps have emerged.

Resource Constraints

Challenge
Developing, implementing, and maintaining all necessary controls across 15 operational capabilities can strain budgets, personnel, and available technologies. Smaller organizations or those with limited cybersecurity staff may find it particularly challenging to allocate enough resources.

Mitigation Strategies

  • Prioritize High-Risk Areas: Identify which capabilities are most critical to your operations and address them first.
  • Leverage Existing Technologies: Integrate controls into current tools and processes instead of purchasing entirely new solutions.
  • Seek Cross-Functional Support: Collaborate with other departments (e.g., IT, Legal, Finance) to pool resources and share responsibilities.
  • Phase Implementation: Roll out controls in stages, allowing your organization to manage costs and workload more effectively.

Organizational Resistance

Challenge
Operational teams may perceive the introduction of a new framework or categorization method as extra work or an unnecessary complication. Resistance can stem from a lack of awareness, fear of accountability, or general hesitancy to change established procedures.

Mitigation Strategies

  • Provide Clear Training: Offer role-specific guidance and explain how each operational capability simplifies daily tasks or reduces risk.
  • Communicate Benefits: Emphasize how the approach clarifies responsibilities, enhances collaboration, and leads to better security outcomes.
  • Obtain Executive Endorsement: Having support from top management can help influence organizational culture and encourage positive reception.
  • Start Small: Introduce the framework in a single department or project before expanding to the entire organization, showcasing early successes.

Changing Risk Profile

Challenge
Cyber threats and vulnerabilities change rapidly. The capabilities you prioritize today might shift in importance if new tactics or technologies emerge. Without regular updates, your security measures can become outdated.

Mitigation Strategies

  • Conduct Frequent Risk Assessments: Revisit your threat analysis and vulnerability scans to stay informed about emerging issues.
  • Maintain a Security Roadmap: Document planned improvements and regularly update them based on evolving risks.
  • Leverage Threat Intelligence: Use internal and external sources to receive timely information on new vulnerabilities, attacks, or regulatory changes.
  • Perform Ongoing Training: Keep staff informed about recent threat trends and encourage them to adapt controls as necessary.

Complexity of Regulatory Requirements

Challenge
Organizations often need to comply with multiple regulatory frameworks, each with its own detailed requirements. Certain controls may need to align with multiple regulations, leading to complex reporting obligations and overlapping audits.

Mitigation Strategies

  • Map Controls to Regulations: Create a matrix that shows how each operational capability and control satisfies different regulatory requirements.
  • Streamline Documentation: Use consistent reporting formats and central repositories to store evidence of compliance.
  • Audit Coordination: If possible, schedule audits and assessments in ways that reduce duplication.
  • Stay Updated: Monitor changes in legislation or standards and adjust controls and processes accordingly.

Maintaining Staff Awareness

Challenge
Over time, staff may become complacent or forget key policies and procedures, especially if they are not regularly reminded. Without consistent engagement, security can degrade, and training may not remain top of mind.

Mitigation Strategies

  • Regular Training Sessions: Offer concise, periodic refreshers or microlearning modules to keep security knowledge current.
  • Awareness Campaigns: Display visual reminders such as posters and digital notifications that reinforce best practices.
  • Simulated Exercises: Run drills (e.g., phishing simulations) to evaluate staff responses and identify areas needing improvement.
  • Tailored Content: Customize training for different roles, focusing on the specific security controls and risks relevant to each team.

Third-Party Dependencies

Challenge
Security often depends on external vendors, suppliers, or cloud service providers. If these third parties do not meet your required standards, your organization’s risk exposure increases.

Mitigation Strategies

  • Vendor Risk Assessments: Evaluate prospective and existing suppliers based on their security posture and practices.
  • Contractual Clauses: Include clear security and data protection obligations in all service agreements.
  • Continuous Monitoring: Regularly review vendor performance, service levels, and security incidents.
  • Collaborative Improvement: Work with suppliers to address identified weaknesses and align security standards over time.

Maintaining Ongoing Continuous Improvement

Challenge
Even the most robust security program can degrade if not regularly maintained and refined. Without a structured process for continuous improvement, controls may no longer align with organizational growth or changing risk environments.

Mitigation Strategies

  • Plan-Do-Check-Act Cycle: Integrate a formal continuous improvement model to review and optimize controls regularly.
  • Periodic Internal Audits: Assess operational capabilities on a set schedule to find gaps and inefficiencies.
  • Management Reviews: Hold leadership-level discussions to evaluate audit findings, agree on improvement actions, and track progress.
  • Feedback Loops: Encourage staff to report issues or suggest enhancements to any control, promoting a culture of shared security responsibility.

Templates That Could Help

If you are using or offering security documentation templates, the following examples can support your implementation:

  • Risk Assessment Template: Align risk identification with the relevant operational capability.
  • Control Implementation Checklist: Track progress for each capability to ensure no areas are overlooked.
  • Security Policy Template: Define policy statements that address each operational capability.
  • Incident Response Plan Template: Map response actions to specific capabilities like Information Security Event Management.
  • Vendor Assessment Checklist: Evaluate supplier security practices, addressing Supplier Relationships Security.
  • Business Continuity Plan Template: Document recovery strategies in line with Continuity.

Conclusion

Operational Capabilities in ISO 27001 enable you to group controls in a way that aligns with functional duties, making security implementation more direct and comprehensible for those responsible. This approach clarifies roles, highlights coverage gaps, and supports efficient resource allocation.

When you adopt the Operational Capabilities view, you gain a practical framework that complements the broader ISO 27001 requirements. The ability to categorize and manage controls by operational function helps ensure that security becomes part of everyday operations rather than an afterthought.