This subject covers a wide area. The objective of such controls is to help ensure the correct and secure operation of information processing facilities. In order to do this, the following areas need to be considered:

1. Operational procedures need to be documented and maintained. This will include the specification for the detailed execution of each job, including, for example, the processing and handling of information and any support contacts in the event of unexpected difficulties.

2. Inadequate control of changes to information processing facilities and systems is a common cause of system or security failures, especially if the installation is growing in size and complexity. Once a certain size is reached, formal management responsibilities and procedures need to be in place to ensure satisfactory control of all changes to equipment, software, or procedures. When this point is reached is not easily determined. However, even smaller systems can benefit from good discipline in regard to change management.

3. Incident management procedures need to be established to ensure a quick, effective and orderly response to security incidents.

4. In many circumstances it is important that various business roles are segregated e.g. a person who raises a purchase order should not also be the person who verifies that the goods have been received.