Introduction
In this tutorial we are going to cover ISO 27001 Operations
You will learn
- What it is ISO 27001 Operations
- How to implement ISO 27001 Operations
Implementation Guide
Document Processes
We need to plan and control the processes necessary to meet the requirements of clause 6. Now, clause 6 was about identifying objectives and understanding and doing risk assessments and understanding what our risks are.
What this is basically say saying is – that the processes that make up the management system need to be documented.
Now, documented processes is going to fall into two categories. There are going to be documented processes for the information security management system, the isms, then there are going to be documented processes that support the annex a controls.
The ISO 27001 Annex A Controls as we’ve touched on previously are going to be documented in your ISO 27001 Statement of Applicability, your SOA, and you are going to choose those annex a controls based on risk. The risk that you’ve identified as part of clause 6. And the needs of your business.
So, what do we need? We need documented processes for the isms, we need documented processes for our controls, we need documented processes. We’ve said this many, many, times – the ISO 27001 standard is documentation heavy.
It is very likely that you are already doing the majority of the things that are required and we will cover those when we get to annex a, in the implementation of controls but usually your level of documentation is going to be sporadic. This is saying document those.
Document the ISMS
When it comes to the information security management system (ISMS) the processes that you need to manage that are provided as part of the ISO 27001 Toolkit. The ultimate toolkit, the ultimate toolkit for ISO 27001 Certification. Clearly it gives you everything you need and it gives you the documented processes how to do continual improvement, how to do risk assessment, how to manage your management review meetings. All the things that you need todo are already documented.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
If you’re not getting the ISO 27001 Toolkit and you’re going to do this yourself, which we have absolutely no issue with, make sure that the processes that make up your management system are documented. We’ve covered in previous tutorials, in fact the last tutorial we looked at documented information and there are requirements around what that documented information needs. For example it needs classification and it needs version control. So, review that documented information tutorial . Be sure to go and check that out and look at how your documents need to be structured.
But be sure to document those processes.
We need to make sure that we are implementing those processes in line with the criteria. The criteria is based on our objectives and based on our risk.
Make documentation available
The clause says that documented information shall be available to the extent necessary to have confidence that the process has been carried out as planned, not only is it important that we document our processes, our processes are going to have outputs, our document, our processes are going to have inputs and what we need to do is evidence those inputs and outputs of those processes.
Usually that is going to be in the form of reports that are generated.
Example Records
So, I can think here around things like internal audit reports, external audit reports, IT management reports, you know monthly reports about your antivirus status, your patching status, your inventory, the number of new users, your help desk calls, those kind of outputs that come from the processes need to be documented and need to be recorded and those requirements are covered in other ISO 27001 clauses and we will come to those but we need to make sure that that documented information is available.
Do we have the process? Yes.
Is it documented? Yes.
Does it meet the documentation requirements of the standard? Yes.
Do we know what the inputs are? Yes.
Can we show those inputs on a regular basis? Yes.
Can we show those outputs on a regular basis? Yes.
Do we have evidence of those? Yes.
Change Management
The next part of the clause then looks at change. Right, it takes a Segway. So, now it’s looking at change management. Now change management will be covered in more depth in other videos and in other guides. It is actually, an ISO 27001 Annex A control in its own right – ISO 27001 Annex A 8.32 Change Management – but the standard here is calling out to it to say that changes should be planned and reviewed and the consequences of unintended changes should be assessed and actions taken to mitigate those.
We’ve already touched on change in terms of the management system itself so you will see when we discussed the ISO 27001 Clause 6.3 planning changes to the isms, the new ISO 27001 clause that came in, that has, that has pushed us to document what we are already doing which is planning our isms changes throughout the year. So, things like our annual review, our annual update, our annual business continuity test, our annual pen test, our annual risk review. There are many things that happen throughout the year that can change our isms that need planning and we’ve covered that in ISO 27001 Clause 6.3.
My feel here is, and it’s covered in other clauses so it will be true, it will happen either way but what this, this is looking at, is saying that the processes that we’ve got, you need to include change management.
So when we’re making changes do we have a change management process? If you have a change management policy, you have a change management process and you’re following that structured change approach then this is going to be golden and you’re going to be satisfying that no problem.
Third Party Supplier Management
The next part of ISO 27001 Clause 8.1, again it’s a smorgasbord, right, is the organisation shall ensure externally provided processes products or services that are relevant to the information security management system (ISMS) are controlled.
What this is alluding to is third-party supplier management. Supplier management security, securing the supply chain, again this is an ISO 27001 Annex A control, it’s a control in its own right and there are more detailed guides and blogs and videos on how we do that – ISO 27001 Annex A 5.19 Information Security In Supplier Relationships
This is about identifying our third-party suppliers this is about having that third-party supplier policy, that third-party supplier assessment process, this is about having a third-party supplier register. Within that register then we’re assessing and we’re tracking and we’re monitoring measuring and controlling those suppliers.
Top tip
A top tip here is and I think it will come in later down the line is to make sure that you have regular reviews with your third-party suppliers against their performance and against contract. Again within the 2022 update it’s always been there but people you know, the auditors, seem to have a bee in a bonnet around that as well.
Risk Assessment
This is about having a policy and process process. I’ve walked you through the process of how you do risk assessment previously.
The bare minimum you need to do is an annual full risk assessment.
Risk Treatment
Maintain your risk treatment document as evidence that you did it.
It is going to be the outputs of your risk assessments, it’s going to be version controls of your risk registers, it’s going to be minutes of meetings where they were discussed, it’s going to be evidences from new processes and new controls that are put in place.
What it’s basically saying is when you do your risk treatments, treatment evidence that that treatment worked and was effective.
ISO 27001 Operations – Training Video
If you prefer to watch rather than read you can watch: How to implement ISO 27001 Clause 8 Operation | Step-by-Step Guide