Operational Requirements (OR) are an essential tool to enable an organisation to produce a clear, considered and high level statement of their security needs based on the risks they face.
A well-defined OR increases the likelihood of success in any security project and reduces the risk of commissioning expensive nugatory work. The involvement of key stakeholders in the OR process will increase executive buy-in for the project, simplifying any organisational change required.
CPNI has recommended the use of an OR process for many years. The development of this process is based on observing projects where security requirements were poorly defined or developed in isolation. Where CPNI has been asked to assist in failing security projects, in almost all cases an OR process has not been followed. In many cases a comprehensive risk assessment is also absent which is why CPNI recommends completing both risk assessments and the OR process as an essential part of any security project.
Where a suitable OR process is used, projects have a significantly higher success rate and stakeholders are better engaged in the security measures implemented.
See below for the OR documents which provide a step by step guide to completing the process. This self-help guidance and accompanying worked examples should enable a security manager to facilitate a structured OR workshop to develop a set of security mitigations for their organisation.