130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Controls (A.12):
  • Control A.12.1.1: Documented Operating Procedures
  • Control A.12.1.2: Change Management
  • Control A.12.1.3: Capacity Management
  • Control A.12.1.4: Separation of Development, Testing, and Operational Environments
  • Control A.12.2.1: Malware Controls
  • Control A.12.3.1: Backup
  • Control A.12.4.1: Event Logging
  • Control A.12.4.2: Protection of Log Information
  • Control A.12.4.3: Administrator and Operator Logs
  • Control A.12.4.4: Clock Synchronization
  • Control A.12.5.1: Installation of Software on Operational Systems
  • Control A.12.6.1: Management of Technical Vulnerabilities
  • Control A.12.6.2: Restrictions on Software Installation
  • Control A.12.7.1: Information Systems Audit Considerations

Was this helpful?

  1. ISO 27001
  2. ISO 27001 Controls and Domains

8: Operational Security

This category focuses on ensuring the secure and reliable operation of information processing facilities. It includes managing and monitoring operational procedures, handling changes, protecting against malware, backup strategies, logging and monitoring, and controlling technical vulnerabilities.

Controls (A.12):

  • A.12.1.1: Documented Operating Procedures

  • A.12.1.2: Change Management

  • A.12.1.3: Capacity Management

  • A.12.1.4: Separation of Development, Testing, and Operational Environments

  • A.12.2.1: Malware Controls

  • A.12.3.1: Backup

  • A.12.4.1: Event Logging

  • A.12.4.2: Protection of Log Information

  • A.12.4.3: Administrator and Operator Logs

  • A.12.4.4: Clock Synchronization

  • A.12.5.1: Installation of Software on Operational Systems

  • A.12.6.1: Management of Technical Vulnerabilities

  • A.12.6.2: Restrictions on Software Installation

  • A.12.7.1: Information Systems Audit Considerations

Control A.12.1.1: Documented Operating Procedures

Audit Questions:

  • Are there documented operating procedures for information processing facilities?

  • How are these procedures communicated and maintained?

Common Non-Conformities (NC):

  • Lack of documented operating procedures.

  • Procedures not communicated effectively.

  • Outdated or insufficiently maintained procedures.

Control A.12.1.2: Change Management

Audit Questions:

  • Is there a formal change management process in place?

  • How are changes documented, approved, and communicated?

Common Non-Conformities (NC):

  • No formal change management process.

  • Changes not documented, approved, or communicated properly.

  • Unauthorized changes made to systems.

Control A.12.1.3: Capacity Management

Audit Questions:

  • How is capacity managed to ensure system availability?

  • Are there plans and metrics in place to monitor and manage capacity?

Common Non-Conformities (NC):

  • Lack of capacity management plans.

  • Insufficient monitoring of capacity.

  • System performance issues due to inadequate capacity management.

Control A.12.1.4: Separation of Development, Testing, and Operational Environments

Audit Questions:

  • Are development, testing, and operational environments separated?

  • How is access to these environments controlled?

Common Non-Conformities (NC):

  • No separation of development, testing, and operational environments.

  • Inadequate access controls for different environments.

Control A.12.2.1: Malware Controls

Audit Questions:

  • What controls are in place to protect against malware?

  • How are these controls monitored and updated?

Common Non-Conformities (NC):

  • Insufficient malware protection measures.

  • Outdated or unmonitored malware controls.

Control A.12.3.1: Backup

Audit Questions:

  • Are there documented backup procedures?

  • How frequently are backups performed and tested?

  • Are backup copies stored securely?

Common Non-Conformities (NC):

  • No documented backup procedures.

  • Infrequent or untested backups.

  • Insecure storage of backup copies.

Control A.12.4.1: Event Logging

Audit Questions:

  • Are events logged and monitored?

  • How are logs reviewed and retained?

Common Non-Conformities (NC):

  • No event logging.

  • Logs not reviewed or retained as required.

Control A.12.4.2: Protection of Log Information

Audit Questions:

  • How is log information protected from unauthorized access and tampering?

  • Are there controls to ensure log integrity?

Common Non-Conformities (NC):

  • Inadequate protection of log information.

  • Log data not protected from unauthorized access or tampering.

Control A.12.4.3: Administrator and Operator Logs

Audit Questions:

  • Are administrator and operator activities logged?

  • How are these logs monitored and reviewed?

Common Non-Conformities (NC):

  • No logging of administrator and operator activities.

  • Logs not monitored or reviewed.

Control A.12.4.4: Clock Synchronization

Audit Questions:

  • Are clocks synchronized across information systems?

  • How is clock synchronization maintained?

Common Non-Conformities (NC):

  • Lack of clock synchronization.

  • Inconsistent time settings across systems.

Control A.12.5.1: Installation of Software on Operational Systems

Audit Questions:

  • Are there procedures for the installation of software on operational systems?

  • How is unauthorized software installation prevented?

Common Non-Conformities (NC):

  • No procedures for software installation.

  • Unauthorized software installations on systems.

Control A.12.6.1: Management of Technical Vulnerabilities

Audit Questions:

  • How are technical vulnerabilities identified, assessed, and managed?

  • Are there procedures for applying patches and updates?

Common Non-Conformities (NC):

  • Inadequate vulnerability management processes.

  • Delayed or missing application of patches and updates.

Control A.12.6.2: Restrictions on Software Installation

Audit Questions:

  • Are there restrictions on software installation?

  • How are these restrictions enforced?

Common Non-Conformities (NC):

  • No restrictions on software installation.

  • Poor enforcement of software installation policies.

Control A.12.7.1: Information Systems Audit Considerations

Audit Questions:

  • How are information systems audits conducted?

  • Are there procedures to minimize disruptions during audits?

Common Non-Conformities (NC):

  • No procedures for conducting information systems audits.

  • Significant disruptions caused by audit activities.

Previous7. Physical and Environmental SecurityNext9. Communications Security

Last updated 4 months ago

Was this helpful?