Operational Planning and Control for ISO 27001 Information Security

ISO 27001 Clause 8.1

This sub-clause requires the organisation to plan, implement and control the processes needed to meet information security requirements and to act on the results of risk assessment and treatment.

ISO 27001 Clause 8.1 - Operational Planning and Control

Clause 8.1 is the operational counterpart to Clause 6.1. Clause 6.1 says the organisation has to plan how to address risks and opportunities. Clause 8.1 says the organisation has to actually do it, control the processes that are running, and manage the changes that affect them.

What ISO 27001 Clause 8.1 Requires

The organisation must plan, implement and control the processes needed to meet the information security requirements and to implement the actions determined in Clause 6.1. This is done by establishing criteria for the processes and by implementing control of the processes in accordance with the criteria. Documented information must be available to the extent necessary to have confidence that the processes have been carried out as planned.

Planned changes must be controlled, the consequences of unintended changes must be reviewed, and action must be taken to mitigate any adverse effects as necessary. Externally provided processes, products and services that are relevant to the ISMS must be controlled.

Operational Processes Within an ISMS

The operational processes within an ISMS include the daily, weekly and monthly activities that keep information security working. Examples include user access reviews, vulnerability scanning, log monitoring, supplier security checks, incident response drills, change reviews and physical security checks. Each of these is a process that has criteria - what it covers, how often it runs, what evidence it produces - and that needs to be controlled to make sure it operates as planned.

The criteria for each process are typically set in the supporting policy or procedure for that area. The records produced by each process - access review reports, scan results, incident logs - provide the documented information that the process is being followed.

Controlling Externally Provided Processes

Where the organisation relies on suppliers for processes that affect the ISMS - cloud hosting, managed IT services, payroll, software development - those processes need to be controlled even though they are running outside the organisation. Control here usually means contracts with information security clauses, supplier assessments, regular reviews of supplier performance and incident notification arrangements.

The organisation does not have to operate the supplier's processes itself. It does have to be satisfied that those processes meet the requirements of the ISMS, and to have evidence that this satisfaction is well-founded.

The risk treatment plan from Clause 6.1.3 turns into operational reality through Clause 8.1. If the treatment plan says vulnerability scanning will be done monthly, the operational record that proves it is happening lives under this clause. The two clauses are joined at the hip.

I sample the operational records at audit. If the access review process is meant to run quarterly, I want to see the last four reports and check the actions identified have been completed. The clause requires evidence the processes are being carried out as planned, and the evidence is what convinces me the system is real, not paper.

Practical Compliance Guidance

The supporting policies and procedures for each area of the ISMS define the operational criteria. Records of each process - reviews, checks, scans, audits - provide the documented information required by Clause 8.1. The supplier contractor register supports the control of externally provided processes.

The documents below support operational planning and control of the ISMS processes.

alphaZ document	How to use it
ISO 27001 Toolkit	Complete documentation set including the operational policies, procedures and registers needed to demonstrate process control.
ER3 Key Supplier and Contractor Register	Register of suppliers and contractors providing services that affect the ISMS, with information security review status and contractual controls.
F-Q23 Change Review Form	Structured change review form used to control planned changes and review the consequences of unintended changes.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What is the difference between Clause 6.3 and Clause 8.1 on changes?

Clause 6.3 covers planned changes to the management system itself - the policy, scope, methodology. Clause 8.1 covers planned changes to the operational processes, plus the consequences of unintended changes. The two work together - a change captured under 6.3 might trigger operational changes managed under 8.1.

How does Clause 8.1 link to Annex A?

Most Annex A controls are operational - they describe activities that have to run continuously to be effective. Clause 8.1 is the clause requiring those operational activities to be planned, controlled and evidenced. The Annex A controls describe what the activity is. Clause 8.1 requires the operational discipline to make them work.

Are cloud providers covered by Clause 8.1?

Yes, as externally provided processes. The organisation has to control how cloud providers operate the parts of the ISMS that depend on them. That control comes through contractual clauses, supplier assessments and ongoing monitoring rather than direct operational control.

UK Legislation

The following UK legislation often creates specific operational requirements that Clause 8.1 implements through process control.

Further Resources