Operational management

IT Impact Zone
IT Impact Zone


This is a top level control.

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a capacity management plan., CC ID: 11751
  • Plan for business process conversions, as necessary., CC ID: 13678
  • Implement all approved programs., CC ID: 13677
  • Manage cloud services., CC ID: 13144
  • Document the organization's business processes., CC ID: 13035
  • Establish, implement, and maintain a Governance, Risk, and Compliance framework., CC ID: 01406
  • Establish, implement, and maintain a Service Management System., CC ID: 13889
  • Include continuity plans in the Service Management program., CC ID: 13919
  • Establish, implement, and maintain a network management program., CC ID: 13123
  • Establish, implement, and maintain an Asset Management program., CC ID: 06630
  • Establish, implement, and maintain a customer service program., CC ID: 00846
  • Establish, implement, and maintain an Incident Response program., CC ID: 00579
  • Establish, implement, and maintain a performance management standard., CC ID: 01615
  • Establish, implement, and maintain a collection management program., CC ID: 14013
  • Perform automated processes according to business requirements., CC ID: 14325
  • Establish, implement, and maintain an accounting system., CC ID: 08950
  • Provide language analysis support, as necessary., CC ID: 14084
  • Establish, implement, and maintain a Service Level Agreement framework., CC ID: 00839
  • Establish, implement, and maintain a cost management program., CC ID: 13638
  • Establish, implement, and maintain a change control program., CC ID: 00886
  • Establish, implement, and maintain a disability accessibility program., CC ID: 06191
  • Establish, implement, and maintain production process control procedures., CC ID: 06209
  • Document the organization's local environments., CC ID: 06726
  • Manage the creation of products and services, as necessary., CC ID: 13497
  • Establish and maintain a service catalog., CC ID: 13634
  • Introduce randomness into organizational operations and assets., CC ID: 10650
  • Conduct official proceedings, as necessary., CC ID: 13836
  • Establish, implement, and maintain a claims management system., CC ID: 14336
  • Establish, implement, and maintain a registration database., CC ID: 15048
  • Establish, implement, and maintain an artificial intelligence system., CC ID: 14943
  • Establish, implement, and maintain a declaration of conformity., CC ID: 15038
  • Establish, implement, and maintain an environmental management system., CC ID: 14945


  • App 2-1 Item Number IV.1(2): The operational management rules must be based on the operation management design. This is a control item that constitutes a greater risk to financial information. This is an IT general control. App 2-1 Item Number IV.2(3): The organization must ensure operations are sta… (App 2-1 Item Number IV.1(2), App 2-1 Item Number IV.2(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Standard § I.1 ¶ 2: Management is required to design and effectively operate processes and ensure all internal controls are in place. Practice Standard § I.5(1): Management should ensure it properly understands the IT environment and uses IT effectively and efficiently. Practice Standard § III.… (Standard § I.1 ¶ 2, Practice Standard § I.5(1), Practice Standard § III.4(2)[2].B.b, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • O45: For head and branch offices and affiliated channels in retail stores and distribution outlets, the organization shall establish operational management methods for smooth operations and take precautions against illicit withdrawals to ensure the security of CDs/ATMs and unmanned branches. O45.2: … (O45, O45.2, T16, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization should develop a framework for managing risk that should cover the organization's appetite and tolerance for risk. (¶ 737, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • A data management review should be performed and should, at a minimum, consider the management of data. (App A.4 (Recommendations for Data Management), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The organization must ensure that all operations associated with the identified significant risks and consistent with the organizational resilience management policy, impact analysis, risk assessment, targets, and objectives are identified and planned to ensure they are being executed under specific… (§ 4.4.6, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Successful ICT. An organization should include the following activities within security management; Planning, Implementation, and Operations and maintenance. (§ 6.1, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Organizational personnel should review the implementation, configuration, and management of the system, infrastructure, and procedures to ensure they are consistent with the organization's privacy policies. If any inconsistencies are identified, they should be corrected in a timely manner. (ID 1.2.4, AICPA/CICA Privacy Framework)
  • Interview management and review the operations information request to identify: ▪ Any significant changes in business strategy or activities that could affect the operations environment; ▪ Any material changes in the audit program, scope, or schedule related to operations; ▪ Changes to interna… (Exam Tier I Obj 1.3, FFIEC IT Examination Handbook - Operations, July 2004)