Skip to main content

OPS-03: Service Delivery (Business Process Support)

OPS 7 — High Protect

Mechanisms exist to define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of the organization's technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards to achieve the specific goals of the process area.

Control Question: Does the organization define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of its technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards to achieve the specific goals of the process area?

General (19)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC2.1 CC2.1-POF1 CC2.1-POF2 CC2.1-POF3 CC2.1-POF4 CC2.2-POF1 CC2.3-POF2 CC2.3-POF6 CC3.1-POF10 CC3.1-POF11 CC3.1-POF12 CC3.1-POF13 CC3.1-POF14 CC3.1-POF15 CC3.1-POF16 CC3.1-POF7 CC3.1-POF8 CC3.1-POF9 CC5.3-POF3 PI1.1 PI1.3-POF1 PI1.3-POF2 PI1.3-POF3 PI1.3-POF4 PI1.3-POF5 PI1.4-POF1 PI1.4-POF2 PI1.4-POF3 PI1.4-POF4 PI1.5-POF1 PI1.5-POF2 PI1.5-POF3 PI1.5-POF4
COBIT 2019 APO01.11 APO09.03 APO09.04 APO09.05 APO11.01 APO11.02 APO11.03 APO11.04 APO11.05
COSO 2017 Principle 13
CSA CCM 4 STA-06
CSA IoT SCF 2 IAM-16 SNT-03
ISO/SAE 21434 2021 RQ-05-11 RQ-06-03.a RQ-06-03.b RQ-06-03.c RQ-06-03.d RQ-06-03.e RQ-06-03.f
ISO 22301 2019 8.1 8.4.2.1 8.4.2.2 8.4.2.3 8.4.2.4
ISO 27001 2022 (source) 8.1
ISO 27002 2022 5.37
ISO 27017 2015 CLD.12.1.5
ISO 42001 2023 A.6.2.7 A.6.2.8 A.9 A.9.2 A.9.3 A.9.4
NIST Privacy Framework 1.0 ID.IM-P5
NIST 800-53 R4 IP-4 IP-4(1)
NIST 800-160 3.4.12
NIST 800-171 R3 (source) 03.15.01.b
NIST 800-218 PO.3.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) OPS-03
SCF CORE ESP Level 2 Critical Infrastructure OPS-03
SCF CORE ESP Level 3 Advanced Threats OPS-03
US (12)
Framework Mapping Values
US C2M2 2.1 ASSET-4.C.MIL2 ASSET-5.A.MIL2 THREAT-3.A.MIL2 RISK-5.A.MIL2 ACCESS-4.A.MIL2 SITUATION-4.A.MIL2 RESPONSE-5.A.MIL2 THIRD-PARTIES-3.A.MIL2 WORKFORCE-4.A.MIL2 ARCHITECTURE-5.A.MIL2 PROGRAM-3.A.MIL2
US CERT RMM 1.2 GG1.GP1 GG2.GP6 GG3.GP1 GG3.GP2 OPD:SG1.SP3 OPD:SG1.SP4 OPD:SG1.SP5 OPF:SG3.SP3
US CJIS Security Policy 5.9.3 (source) 5.1.2 5.1.2.1
US CMS MARS-E 2.0 IP-4 IP-4(1)
US DHS CISA TIC 3.0 3.UNI.SADMI
US DHS ZTCF SEC-03
US FDA 21 CFR Part 11 11.10 11.10(f)
US HIPAA Administrative Simplification 2013 (source) 164.310(b) 164.312(e)(2)(ii) 164.316(b)(2)(ii)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.310(b) 164.312(e)(2)(ii) 164.316(b)(2)(ii)
US HIPAA HICP Medium Practice 8.M.A
US HIPAA HICP Large Practice 8.M.A 8.L.A
US IRS 1075 2.C.9
EMEA (2)
Framework Mapping Values
EMEA EU DORA 9.1 9.2
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 8.1 8.2 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8
APAC (3)
Framework Mapping Values
APAC China Privacy Law 51
APAC Japan ISMAP 4.5.4 4.5.4.1 4.5.4.2 4.5.4.3 4.5.4.4 12.1.5.P
APAC Singapore MAS TRM 2021 7.1.1
Americas (3)
Framework Mapping Values
Americas Canada CSAG 1.3 1.5
Americas Canada OSFI B-13 2.2.1 2.8
Americas Canada ITSP-10-171 03.15.01.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of its technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards to achieve the specific goals of the process area.

Level 1 — Performed Informally

Security Operations (OPS) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Cybersecurity operations are decentralized.
  • The responsibility for developing and operating cybersecurity and data privacy procedures are up to the business process owner(s) to determine, including the definition and enforcement of roles and responsibilities.
Level 2 — Planned & Tracked

Security operations (OPS) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Security operations management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for security operations.
  • Administrative processes focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
  • Critical business functions are documented in “run books” or Standardized Operating Procedures (SOPs) to capture operational knowledge in documentation form.
Level 3 — Well Defined

Security Operations (OPS) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • A Security Operations Center (SOC), or similar function, manages cybersecurity operations that covers preparation, detection and analysis, containment, eradication and recovery.
  • Procedures are standardized across the enterprise to ensure uniformity and consistent execution. These Standardized Operating Procedures (SOP) identify and document day-to-day procedures to enable the proper execution of assigned tasks.
  • Line of Business (LOB) stakeholders are identified and tasked with documenting business-critical functions in “run books,” or SOPs, to capture the knowledge in documentation form from both a business and technology perspective.
Level 4 — Quantitatively Controlled

Security Operations (OPS) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of its technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards to achieve the specific goals of the process area.

Assessment Objectives

  1. OPS-03_A01 supporting business processes are defined.
  2. OPS-03_A02 appropriate governance and service management is implemented to ensure appropriate planning, delivery and support of business functions, workforce, and/or customers.

Evidence Requirements

E-TPM-04 Service Level Agreements (SLAs)

Documented evidence of third-party Service Level Agreements (SLAs) to support business operations.

Third-Party Management

Technology Recommendations

Micro/Small

  • Documented Standardized Operating Procedures (SOP)

Small

  • Documented Standardized Operating Procedures (SOP)

Medium

  • Documented Standardized Operating Procedures (SOP)
  • VisibleOps (https://itpi.org)
  • ITIL 4 (https://axelos.com)

Large

  • Documented Standardized Operating Procedures (SOP)
  • VisibleOps (https://itpi.org)
  • ITIL 4 (https://axelos.com)
  • COBIT 2019 Framework (https://isaca.org)

Enterprise

  • Documented Standardized Operating Procedures (SOP)
  • VisibleOps (https://itpi.org)
  • ITIL 4 (https://axelos.com)
  • COBIT 2019 Framework (https://isaca.org)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free