Domain 5 of 6 · Chapter 3 of 6

Operational Controls & Standards

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • ISO/IEC 20000-1 and ITIL: the standard and the practice
  • Incident vs problem management: restore now, fix the cause later
  • Change, release, and deployment: authorize, build, install
  • Configuration management: the CMDB other processes depend on
  • Service-level, availability, capacity, and continuity, plus CSI

ITIL/ISO 20000-1 processes: what each one owns

ProcessTriggerPrimary goalOwns / produces
Incident managementService is degraded or downRestore normal service fastWorkaround, restored service
Problem managementRecurring or high-impact incidentsFind and remove root causeRoot-cause analysis, known-error record
Change managementA modification is requestedAuthorize and schedule safelyCAB approval, change record
Release managementAn approved changeBuild and test a deployable packageTested release package
Deployment managementA built releaseInstall into live environmentLive, running components
Configuration managementAny CI is added or alteredKeep an accurate record of CIsCMDB, CI relationships
Service level managementA service is offered or reviewedAgree and track service qualitySLA, service reviews
Capacity managementDemand forecast or SLA reviewMatch resource to demand cost-effectivelyCapacity plan
Availability managementUptime target is setMeet the agreed availabilityAvailability plan
Continuity managementDisruption-risk planningRecover the service after disruptionContinuity plan

Decision tree

Service running normally?pick the activity typeNo, it brokeYes, changing itJust restore it?vs remove the causerestorerecursIncident mgmtworkaround, fastProblem mgmtroot causeAuthorize, build, or install?the change pipelineauthorizebuild/testinstallChange mgmtCAB approvesRelease mgmttested packageDeployment mgmtinstall to liveGoverning quality, not a single change?ongoing service-delivery activityneither: it is deliveryService level mgmtthe SLA targetCapacity mgmtresource forecastConfig mgmtrecord the CIsContinual improvementmeasure, feed back

Cheat sheet

  • ISO/IEC 20000-1 is the certifiable SMS standard; ITIL is the practice guidance
  • Incident management restores service; problem management removes the cause
  • A known error is a problem whose cause is understood but not yet fixed
  • Change management authorizes; release builds; deployment installs
  • One change can yield several releases, and one release can deploy to many targets
  • Normal changes go to the CAB; emergency changes use the ECAB but are still recorded
  • Configuration management keeps the CMDB of CIs and their relationships
  • An inaccurate CMDB silently breaks every process that trusts it
  • Service level management owns the SLA the other delivery processes serve
  • Availability management designs for uptime; incident management restores a down service
  • Capacity management matches resource to demand cost-effectively
  • Service continuity management owns the recover-after-disruption plan
  • Continual service improvement is the measure-and-feed-back loop, not a delivery process
  • Information security management is part of the SMS and overlaps the ISO 27001 ISMS
  • The detection tooling that finds incidents belongs to security operations, not the incident process
  • Map the question's verb to the process that owns the activity
  • SOC 3 is the general-use report you can share without an NDA
  • SOC 1 covers controls relevant to financial reporting; SOC 2 covers security
  • SOC Type I is a point-in-time design opinion; Type II tests operating effectiveness over a period
  • A bridge letter covers the gap after a SOC report period ends
  • RPO is the maximum tolerable data loss, and it sets backup frequency
  • Pick the DR strategy that meets the required RTO and RPO at acceptable cost
  • A tabletop exercise validates the DR plan by discussion, without failing over systems
  • In multi-tenant cloud you rely on the CSP's audit report, not direct infrastructure access

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. ISO/IEC 20000-1:2018 — Service management — Part 1: Service management system requirements Whitepaper
  2. ISO/IEC 27001:2022 — Information security management systems Whitepaper
  3. Cloud Security Alliance — Security Guidance for Critical Areas of Focus in Cloud Computing (shared responsibility, incident response, security monitoring) Whitepaper
  4. What is continuous delivery? — Azure DevOps (CI/CD pipeline, progressive rollout, blue-green/canary)