Having clear procedures in place helps us avoid unknown outcomes. This can flow from having a staged change management for rolling out new hardware to avoid negative impact to proper capacity management and having dedicated testing environments.
Security category – 12.1. Operational procedures and responsibilities
12.1.1. Documented operating procedures.
It is often best practice in IT to make sure you have all your systems and tasks documented. This is good for a few reasons; so, you don’t forget how your systems are set up, to allow for knowledge of tasks and systems to be passed on to all your employees and to ensure, if something goes wrong there is sufficient information to remediate the issues in a timely fashion. The ISO standard follows a similar line of thought and recommends we document any task that involves information processing. These tasks can include installation, initial configuration, backups, scheduling restrictions, commonly encountered errors, how issues can be escalated and how information should properly be handled.
12.1.2. Change management.
Change management should always be comprehensively and clearly documented and with defined steps. At the very least this documentation should outline an approval process where the requested changes are submitted to, an assessment of the risks associated with the plan, mitigating steps to limit the risks, an agreement/approval stage, a testing phase once the technology has been deployed and a rollback plan if things go wrong. This is INFRASTRUCTURE focused, changes to the network and servers applications run on.
12.1.3. Capacity management.
If our resource use exceeds our capacity we can suffer a loss of availability of that service. We should always balance these and plan ahead to ensure we always have sufficient capacity for our operations. This can be capacity planning for internet bandwidth in your office, so staff can carry out their day to day tasks, as well as redundancy in capacity for IT systems, so services are able to meet the needs of all their users. This stage is important and has spun off its own category of systems administrators who specialize in IT capacity management. These staff ensure there is always sufficient capacity on your information systems to avoid legitimate requests being lost, or rejected. The onset of cloud architectures has reduced the complexity and expense of modern capacity management. All steps and safeguards we have in relation to capacity management should be documented.
12.1.4. Separation of development, testing and operational environments.
Many organizations implement some form of change management. The most basic involves deploying new code to a testing, or development, environment before putting that code on production servers. ISO recommends we have at least 3 separate environments to avoid the chaos and disruption of deploying untested code to live servers. Developers should be able to continually deploy code on their development environment before allowing QA/testers to check the code in a staging, or test, environment. Once changes are agreed as per the change management process then this code can be deployed to a production, or operational, environment, which is the environment the end users interact with. It is good practice to document each of the environment, keep them logically separate and have procedures in place for moving code between, and accessing, each one.