An overview of Annex A.12 -  Operations security

In this article

• What is Annex A.12?
• What is Operations Security?
• Why is Operations Security Important for your Organisation?
• What are the Annex A.12 controls?
• Conclusion

What is Annex A.12?

Annex A.12 of the Annex A Controls sets out guidelines for the secure management and control of your information processing operations. Proper alignment with Annex A.12 is essential to prevent the loss or unauthorised transmission of valuable information, and ensure its confidentiality and integrity. 

As with the other Annex A controls, implementation isn’t mandatory, but choosing the right controls following a risk assessment is essential to achieving ISO 27001 compliance. 

Let’s understand what Annex A.12 entails, and what its requirements for operations security are.

What is Operations Security?

Operations security, or OPSEC, is the process of protecting valuable information assets from leaks, loss and damage. It is an important part of risk management, where we identify opportunities for data loss or theft and work to minimise these risks. With good OPSEC controls in place, you can lay out a framework of best practices and guidelines on how best to protect valuable information.   

There are multiple reasons why operations security is important to an organisation’s infosec framework, which we will explore in more detail.

Why is Operations Security important for your Organisation?

OPSEC practices push organisations to assess, identify and mitigate potential infosec risks to stay protected against hacking attempts and malware programs. 

Effective OPSEC ensures confidential information isn’t intentionally or unintentionally exposed, and also guides how the organisation may respond in the event of a compromise. Information leaks can be potentially devastating for an organisation, with hackers gaining access to sensitive information such as financial records and personnel data. Therefore, it is exceedingly important to maintain strong OPSEC policies.

Let’s take a deeper look at the requirements of Annex A.12 and how they contribute to a holistic OPSEC program.

What are the Annex A.12 controls?

Annex A.12 consists of a list of 14 controls across seven key aspects of operations security. In this section let’s look at how each of these controls contribute to good OPSEC practices, and how they can be implemented.

1. Annex A.12.1 - Operational procedures and responsibilities

The objective of A.12.1 is to ensure that information processing facilities are being operated in  a secure and proper manner. This set of controls outlines the standards that any data processing group must follow. 

• A.12.1.1 - Documented operating procedures
  
  Control: All organisational operating procedures must be documented and made available to personnel and relevant stakeholders. 
  Implementation: Such documentation ensures uniformity and ease of access in the event of system changes (staff and resources) or disaster management. Documents should be kept updated, and records should be maintained in a way that makes sense for your organisation, taking into account its growth and stability. Be sure to document processes related to the at-risk areas identified during risk assessment. 
  The following should be considered:
• Systems installation and settings
• Automated and manual processing and management of information
• Regular back ups
• Early work starts and latest job completion times, including reliance on other systems for the same
• Instructions for handling errors or any systems restrictions that may arise during job execution
• Contacts details of support bodies in the event of operational or technical issues
• Specific handling instructions, including that of failed work
• System reboot and recovery procedures in the event of system failures
• Audit-trail management and system log information
• Monitoring procedures
  
  
• A.12.1.2 - Change management 
  
  

  Control: Organisational changes, including changes to infosec systems, must be controlled. 

  Implementation: Change management ensures that there is minimal opportunity for the accidental or intentional compromisation or loss of data. Change management should be applied across the organisation. This includes all of its processes, and facilities that handle the processing of information, such as networks, systems, and applications. Change procedures should be recorded in audit logs in a level of detail that is consistent with the nature of the changes being recorded.

  
  

  The following should be considered:

   

  • Record significant changes
  • Plan and test modifications
  • Record the possible impacts of changes
  • Record a formal approval process for proposed changes
  • Verify compliance with infosec requirements
  • Communicate changes to all relevant individuals 
  • Record any failure to recover costs and the effect of unforeseeable incidents
  • An emergency procedure for resolving unforeseeable incidents quickly and in a controlled manner

• Annex A.12.1.3 Capacity management
  
  

  Control: Resource usage must be monitored, adapted, and projected to ensure optimal system performance in line with your organisation’s objectives.

  Implementation: Consider data storage capacity, processing power capacity and communications capacity, and ensure that capacity management is proactive and reactive, so the system operates within its capabilities. 

  
  

  Some examples of capacity management requirements are:

   

  • Freeing up disk space by removing obsolete data
  • Decommissioning application, programs, databases or environment
  • Restricting bandwidth to business-critical usage

• Annex A.12.1.4 - Separation of development, testing & operational Environments
  
  

  Control: Keep development, testing and operational environments separate to prevent unauthorised access and changes to the operational environment. 

  Implementation: Separating duties by keeping environments separate ensures the safety of live data. Testing should be carried out in a separate environment, and authorisation should be required for the transference of data across environments.

2. Annex A.12.2 - Protection from malware

The objective of A.12.2 is to protect your information from malware. A.12.2 has only one requirement.

• A.12.2.1 - Controls against malware
  
  Control: Protective measures must be implemented that ensure the detection of, protection from, and recovery from malware attacks.
  Implementation: Restricting removable media and addressing potential risks is necessary, in addition to keeping your systems and software up to date. Malware detection and repair software is essential to A.12.2.

3. Annex A.12.3 - Information backup

The objective of A.12.3 is to ensure protection against the loss of valuable information.

• Annex A.12.3.1 - Information backup
  
  Control: Backup copies of information must be maintained and tested regularly.
  Implementation: Backup guidelines/policies must consider risk levels and your organisation’s needs. Backup data must be stored away from the live environment to ensure no data is not compromised.  

4. Annex A.12.4 - Logging and Monitoring

The objective of A.12.4 is to log and generate evidence.

• Annex A.12.4.1 - Event logging
  
  

  Control: All event logs must contain organisational information such as user data, infosec events and flaws.

  The following must be considered:
• User IDs
• System activities (dates, times and details of key events)
• Device identity or location
• System access attempts
• Resource access attempts
• Changes to system configuration
• Use of privileges
• Use of system utilities and applications
• Files accessed and the type of access
• Network addresses and protocols
• Access control system alarms 
• Activation and deactivation of protection systems
• In-app transaction records
  
  
• Annex A.12.4.2 - Protection of log information
  
  Control: Logs must be maintained to prevent unauthorised tampering.
  

  Implementation: These logs must be stored in a safe and secure manner to ensure they are not tampered with.

• Annex A.12.4.3 - Administrator and operator software
  
  Control: Logs of system operators and administrators must be maintained and regularly updated.
  Implementation: Accounts with stricter logging requirements must be prioritised. 
• Annex A.12.4.4 - Clock synchronisation
  
  Control: Clocks of all information processing systems must be synchronised to a single source.
  Implementation: Correct synchronisation is necessary to prove “cause and effect” and provide evidence of events. 
  
  

5. Annex A.12.5 - Control of operational software

The objective of A.12.5 is to ensure the integrity of operational systems. 

• Annex A.12.5.1 - Installation of software on operational Systems
  
  Control: The installation of software must be formally controlled by implementing procedures.
  Implementation: Formal procedures such as change management, proper assignment of responsibility, roll-back policies and histories must be maintained.  

The following must be considered:

• Management permissions to upgrade software 
• Only approved code should exist in operating systems
• User-friendly testing functions
• Regularly updated program source libraries

6. Annex A.12.6 - Technical vulnerability management

The objective of A.12.6 is to avoid the exploitation of technical vulnerabilities.

• Annex A.12.6.1 - Management of technical vulnerabilities
  
  

  Control: All vulnerabilities of information systems must be evaluated and addressed through proper measures.

  Implementation: Formal measures must be appropriate and adequate. A communication strategy to update users about vulnerabilities can be useful to facilitate risk management through user behaviours.

  
  

  The following must be considered:

   

  • Network firewalls
  • Enhanced surveillance
  • Increase vulnerability awareness
• Annex A.12.6.2 - Restrictions on software installations
  
  

  Control: Strict rules are needed to restrict which software users are allowed to install on organisational equipment.

  Implementation: These rules must also restrict the ability of individuals to install software on organisational equipment, as it introduces the threat of malware. If total restriction is not an option, a white list of allowed software can be compiled.

7. Annex A.12.7 - Information Systems and audit considerations

The objective of A.12.7 is to minimise the impact of audits and related activities on daily operations and operational systems.

• Annex A.12.7.1 - Information Systems audit controls
  
  

  Control: All audit requirements, such as access to systems, must be pre-planned and negotiated with management so audit processes cause minimal disruption to business operations.

  Implementation: The scope and depth of audits and systems testing must be clearly defined, and carried out through a formal process.

Conclusion

While organisations aren’t required to implement all 114 Annex A controls, it is important to select and implement the controls that best align with your organisation’s needs and goals. 

Annex A.12 outlines best practices for operations security through 14 potential controls that ensure sensitive information is not leaked, stolen or damaged. A.12 covers vital aspects of the risk-management-based ISO 27001 framework, designed to strengthen infosec practices, protecting information from external threats. 

If ISO 27001 certification is in the cards for your organisation, schedule a no-obligation phone call with one of our experts at DataGuard to get started on your compliance journey.