There is a moment in most security programmes where the hard work of building gives way to the assumption that everything is now working. Policies have been written. Controls have been implemented. Suppliers have signed agreements. The risk assessment is done. ZInfV-1 compliance is achieved and the certification is in sight.
And then, quietly, things start to drift. Controls that were correctly configured at deployment are no longer correctly configured. Access rights that were appropriate six months ago have not been reviewed since three people changed roles. Supplier agreements that were negotiated carefully have never been followed up. The programme looks intact from the outside and is eroding from the inside.
This is the operational challenge that a functioning security programme must continuously solve. And it is the challenge that ZInfV-1 holds organisations accountable for — not just at the moment of implementation, but on an ongoing basis.
1. The gap between implemented and operating
Controls degrade. This is not a failure of design — it is the natural consequence of change. Staff turn over, taking institutional knowledge with them. Systems are updated in ways that alter configurations. Exceptions are made under operational pressure and never reviewed. New services are added that fall outside the scope of existing controls.
An organisation that implemented strong controls two years ago and has not verified them since is not operating a security programme. It is operating the memory of one.
Operational security requires that controls are not just in place, but that their continued effectiveness is actively verified. This means testing, monitoring, reviewing, and correcting — as a continuous discipline rather than a periodic project. ISO 27001 makes this explicit: the organisation must plan, implement, control, maintain, and review the processes needed to meet its security requirements and carry out the actions identified in its risk assessment.
WHAT REGULATORS LOOK FOR?
Under ZInfV-1, a regulator examining your security posture is not only asking whether controls were implemented. They are asking whether they are currently operating effectively. An access control policy that was correct at implementation but has not been reviewed since a significant staff restructuring is not a functioning control. It is documented intent without current effect.
2. Change management: the control that most organisations skip
The most common mechanism by which controls fail is unmanaged change. A new cloud service is adopted without a security assessment. A system is migrated to a new platform and the access controls are rebuilt from scratch without reference to the original risk assessment. A key supplier is replaced without reviewing what security obligations the original contract contained and whether the new one matches them.
ISO 27001 requires organisations to control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects. In practice, this means security must have a seat at the table when operational decisions are made — not be called in afterwards to assess the damage.
Under ZInfV-1, the obligation runs deeper: security measures must remain proportionate to the organisation's current risk profile. A profile that changes — through new services, new suppliers, new technologies, new staff — requires that security measures are re-evaluated and, where necessary, updated. Change management is not an IT process. It is a security governance requirement.
3. Supply chain security: from clause to oversight
The most consequential shift in information security over the past decade has been the recognition that an organisation's security posture is inseparable from the security posture of the organisations it depends on.
The average significant breach today does not begin with a direct attack on the target organisation. It begins with a supplier — a software vendor with a vulnerable update mechanism, a managed service provider with shared credentials, a subprocessor with inadequate access controls. The attacker reaches the target through the weakest link in a chain, and the weakest link is rarely the largest, best-defended organisation in it.
ZInfV-1 addresses this explicitly. Essential and important entities must manage security risks in supply chains and supplier relationships, including assessing the security posture of their suppliers, imposing security requirements through contracts, and verifying compliance. A standard supplier security clause that was never followed up is not compliance. It is legal cover that creates the illusion of due diligence.
ZINFV-1 SUPPLY CHAIN OBLIGATION
Article 21 of ZInfV-1 explicitly requires essential and important entities to address security in the supply chain, including the security-related aspects of relationships with direct suppliers and service providers. This is an active, ongoing obligation — not a one-time contractual exercise. Regulators examining supply chain security will want to see evidence of assessment, monitoring, and response, not just a standard contract clause.
4. Incident response: the control that only matters when you need it
An incident response capability that has never been tested is not a capability. It is a plan. And when a real incident occurs — at an unpredictable time, under real pressure, with incomplete information — the difference between a plan and a capability becomes immediately apparent.
Operational incident response requires more than a documented procedure. It requires that the people involved know their roles, that the communication chains are current, that the tools and access needed are available, and that the process has been rehearsed sufficiently that the first real incident is not also the first time the procedure is followed under pressure.
Under ZInfV-1, the operational dimension of incident response has a specific time constraint: a 72-hour notification window to SI-CERT for significant incidents. An organisation that cannot detect, assess, and initiate notification within that window — because the detection capability is not operating, the assessment process has never been tested, or the notification chain has not been established — is not in a position to meet its legal obligations. The plan existed. The capability did not.
5. Operational security is not a project — it is a practice
The common thread across all operational security challenges — control verification, change management, supply chain oversight, incident response — is that they require continuous attention rather than periodic effort.
Organisations that treat security as a project — something that gets done, completed, and filed — will find that their programme degrades between reviews. Controls drift. Suppliers change. Staff turn over. The risk picture evolves. And the gap between what the programme was designed to do and what it is currently doing quietly widens.
The organisations that maintain strong security posture treat it as a practice — a set of disciplines that are embedded in how the organisation operates, reviewed regularly, and responsive to change. This is what ISO 27001 means by continual improvement. It is also what ZInfV-1 means when it requires measures to remain proportionate over time.
Getting to that point — from project-based security to practice-based security — is one of the most valuable transitions an organisation can make. It is also one of the most difficult to make without experienced external support, because it requires changes to governance, processes, and culture simultaneously.
IS YOUR SECURITY PROGRAMME STILL WORKING — OR JUST STILL PRESENT?
There is a difference between a programme that was built correctly and one that is currently operating correctly. We help organisations assess the operational effectiveness of their controls, build supply chain security oversight that goes beyond standard contract clauses, and establish the practices that keep a security programme aligned with real risk as the organisation evolves. Free maturity assessment in the comments. Or reach out directly — a 30-minute conversation is a good place to start.
Series continues — next week: Performance Evaluation and Improvement (ISO 27001, Clause 9 and 10)