Table of contents
- ISO27001 Clause 8.1 Operational Planning and Control
- ISO27001 Clause 8.2 information security risk assessment
- ISO27001 Clause 8.3 information security risk treatment
Hello! My name is Stuart Barker. I am the ISO27001 Ninja and in today’s tutorial we are going to be taking a look at ISO27001 Clause 8 Operation. We’re going to do a step-by-step deep dive to give you the maximum level of success when it comes to your ISO27001 Certification.
We’re going to show you what it is that you need to do and hopefully we’re going to empower you and you’re going to go forward and you’re going to be super super, successful.
We are going to cover
- ISO27001 8.1 Operational Planning and Control
- ISO27001 8.2 Information Security Risk Assessment
- ISO27001 8.3 Information Security Risk Treatment
ISO27001 Clause 8.1 Operational Planning and Control
What we’re going to do here is we’re going to start with the definition. What the standard actually says so that we understand what it is that we are meant to be doing and then I’m going to show you how you can go about doing it.
So, strap yourself in, buckle up and get ready for another great tutorial on ISO27001.
So, the definition –
The organisation shall plan, implement and control the processes needed to meet the requirements and to implement the actions determined in Clause 6 by establishing criteria for those processes, implementing control of the processes in accordance with the criteria. Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned. The organisation shall control and plan changes and review the consequences of unintended changes taking action to mitigate any adverse impacts as necessary. The organisation shall ensure that externally provided processes products or services that are relevant to the information security management system (ISMS) are controlled.
So, actually this is probably the first time that we’ve seen the standard deviate within a sub clause across multiple topics. Normally where we go through the standard, a clause, a control, or a sub clause in this case – would cover one area. This one is actually covering many areas.
So let’s unpick that and look at how we can go about that.
We need to plan and control the processes necessary to meet the requirements of clause 6. Now, clause 6 was about identifying objectives and understanding and doing risk assessments and understanding what our risks are.
What this is basically say saying is – that the processes that make up the management system need to be documented.
Now, documented processes is going to fall into two categories. There are going to be documented processes for the information security management system, the isms, then there are going to be documented processes that support the annex a controls.
The ISO27001 Annex A Controls as we’ve touched on previously are going to be documented in your ISO27001 Statement of Applicability, your SOA, and you are going to choose those annex a controls based on risk. The risk that you’ve identified as part of clause 6. And the needs of your business.
So, what do we need? We need documented processes for the isms, we need documented processes for our controls, we need documented processes. We’ve said this many, many, times – the ISO27001 standard is documentation heavy.
It is very likely that you are already doing the majority of the things that are required and we will cover those when we get to annex a, in the implementation of controls but usually your level of documentation is going to be sporadic. This is saying document those.
When it comes to the information security management system (ISMS) the processes that you need to manage that are provided as part of the ISO27001 Toolkit. The ultimate toolkit, the ultimate toolkit for ISO27001 Certification. Clearly it gives you everything you need and it gives you the documented processes how to do continual improvement, how to do risk assessment, how to manage your management review meetings. All the things that you need todo are already documented.
DO IT YOURSELF ISO27001
STOP SPANKING £10,000s
If you’re not getting the ISO27001 Toolkit and you’re going to do this yourself, which we have absolutely no issue with, make sure that the processes that make up your management system are documented. We’ve covered in previous tutorials, in fact the last tutorial we looked at documented information and there are requirements around what that documented information needs. For example it needs classification and it needs version control. So, review that documented information tutorial . Be sure to go and check that out and look at how your documents need to be structured.
But be sure to document those processes.
We need to make sure that we are implementing those processes in line with the criteria. The criteria is based on our objectives and based on our risk.
The clause says that documented information shall be available to the extent necessary to have confidence that the process has been carried out as planned, not only is it important that we document our processes, our processes are going to have outputs, our document, our processes are going to have inputs and what we need to do is evidence those inputs and outputs of those processes.
Usually that is going to be in the form of reports that are generated.
So, I can think here around things like internal audit reports, external audit reports, IT management reports, you know monthly reports about your antivirus status, your patching status, your inventory, the number of new users, your help desk calls, those kind of outputs that come from the processes need to be documented and need to be recorded and those requirements are covered in other ISO27001 clauses and we will come to those but we need to make sure that that documented information is available.
Do we have the process? Yes.
Is it documented? Yes.
Does it meet the documentation requirements of the standard? Yes.
Do we know what the inputs are? Yes.
Can we show those inputs on a regular basis? Yes.
Can we show those outputs on a regular basis? Yes.
Do we have evidence of those? Yes.
Then we are going to be absolutely golden.
The next part of the clause then looks at change. Right, it takes a Segway. So, now it’s looking at change management. Now change management will be covered in more depth in other videos and in other guides. It is actually, an ISO27001 Annex A control in its own right – ISO27001 Annex A 8.32 Change Management – but the standard here is calling out to it to say that changes should be planned and reviewed and the consequences of unintended changes should be assessed and actions taken to mitigate those.
We’ve already touched on change in terms of the management system itself so you will see when we discussed the ISO27001 Clause 6.3 planning changes to the isms, the new ISO27001 clause that came in, that has, that has pushed us to document what we are already doing which is planning our isms changes throughout the year. So, things like our annual review, our annual update, our annual business continuity test, our annual pen test, our annual risk review. There are many things that happen throughout the year that can change our isms that need planning and we’ve covered that in ISO27001 Clause 6.3.
My feel here is, and it’s covered in other clauses so it will be true, it will happen either way but what this, this is looking at, is saying that the processes that we’ve got, you need to include change management.
So when we’re making changes do we have a change management process? If you have a change management policy, you have a change management process and you’re following that structured change approach then this is going to be golden and you’re going to be satisfying that no problem.
Third Party Supplier Management
The next part of ISO27001 Clause 8.1, again it’s a smorgasbord, right, is the organisation shall ensure externally provided processes products or services that are relevant to the information security management system (ISMS) are controlled.
What this is alluding to is third-party supplier management. Supplier management security, securing the supply chain, again this is an ISO27001 Annex A control, it’s a control in its own right and there are more detailed guides and blogs and videos on how we do that – ISO 27001 Annex A 5.19 Information Security In Supplier Relationships
This is about identifying our third-party suppliers this is about having that third-party supplier policy, that third-party supplier assessment process, this is about having a third-party supplier register. Within that register then we’re assessing and we’re tracking and we’re monitoring measuring and controlling those suppliers.
A top tip here is and I think it will come in later down the line is to make sure that you have regular reviews with your third-party suppliers against their performance and against contract. Again within the 2022 update it’s always been there but people you know, the auditors, seem to have a bee in a bonnet around that as well.
ISO27001 Clause 8.1 Operational Planning and Control Summary
So, that is 8.1 operational planning control. Summarise, summarise and summarise again.
Document your processes.
Document your processes for both the information security management system (ISMS) and for the ISO27001 Annex A controls.
Document your processes in a way that is structured to meet the requirements of the document markup that the standard is pushing you down – version control, classification, right, all the good things that we covered in ISO27001 Documented Information .
Make sure that changes are planned throughout the year.
Make sure that you have a change management process in place.
Make sure that when the processes are operating that the inputs and outputs to those processes are recorded and evidenced so that you can show that the process was operating and operating effectively.
For third-party suppliers and third-party products and services that impact your information security management system (ISMS) follow the third-party supplier policy and process covered in ISO 27001 Annex A 5.19 Information Security In Supplier Relationships
ISO27001 Clause 8.2 information security risk assessment
We’re going to cover the other two sub clauses of ISO27001 Clause 8 here really because the next two are really fast.
Right, ISO27001 Clause 8.2 information security risk assessment. We’ve covered this so many times, ISO27001 is a risk-based system. If you are coming to this blog out of sequence then go look, go and look at the blog and the videos on ISO 27001 Clause 6.1.2 Information Security Risk Assessment
the organisation shall perform information security risk assessment at planned intervals or when significant changes are proposed or occur taking account of the criteria in ISO27001 Clause 6. The organisation shall retain documented evidence of the results of the information security risk assessments.
So, this is about, we’ve got that policy, we’ve shown you previously, you’ve got that process, I’ve walked you through the process of how you do risk assessment, we do risk assessments at least annually, then we do them as significant change occurs, we include them ideally within our projects, within our software development cycles, where it is appropriate to do so.
The bare minimum you need to do is an annual full risk assessment.
ISO27001 Clause 8.3 information security risk treatment
This is supplementary to ISO 27001 Clause 6.1.3 Information Security Risk Treatment.
the organisation shall implement the information security risk treatment plan. The organisation shall retain documented information of the results of the information security risk treatment.
What is this saying? We have the risk policy, we have the risk process, we have our risk register, we’ve covered it so many times about how to conduct risk, what it’s saying is when you get to your risk treatment document, that risk treatment document, what it is that you are going to do or what it is that you did do and maintain that as evidence that you did it.
It is going to be the outputs of your risk assessments, it’s going to be version controls of your risk registers, it’s going to be minutes of meetings where they were discussed, it’s going to be evidences from new processes and new controls that are put in place.
What it’s basically saying is when you do your risk treatments, treatment evidence that that treatment worked and was effective.
So there is a lot in there. A lot in there in terms of to-do. In fact the to-do aspect of this very short clause is probably one of the most significant aspects because it is documentation, right, this is about writing down and documenting the processes that you do or you’re going to do or that you need to do, doing it in the right way.
If I was going to give you a top tip, my ISO27001 Ninja top tip and I come across many times is include within your processes exception steps.
What will often happen is you will write a process that is waterfall, linear and assumes a certain outcome within your process.
My top tip is to include an exception step.
At least one.
What if something goes wrong?
Example – if you implement a change and the change goes wrong what is your exception step? If you do a HR background check on an employee and it fails what is your exception step? What are you going to do if that fails? If you install antivirus and it’s running on all of the machines and you find a virus has infected a machine, what are you going to do? What is the exception step?
It is useful because it’s part of process documentation and planning and control but it is also something that Auditors will pick you up on when it comes to the audit. They like to look at your processes and say – ah, but what if? What if this went wrong? What if that went wrong?
Better that you have second guessed that and provided the evidence for that, cut that off at the pass and saved yourself either a minor nonconformity or an observation up front.
So my name is Stuart Barker.
I am the ISO27001 Ninja.
That was ISO27001 Clause 8 Operation and until the next video tutorial, peas out.