The basics
ISO 27001 sub-clause 8.1 is called “Operational planning and control” — it requires defining criteria for security processes and controlling those processes according to the criteria, in order to implement processes to satisfy the ISMS requirements.
It also requires controlling planned changes, and impact analysis of unexpected changes, to be able to take actions to mitigate negative effects if necessary.
Finally, this clause requires companies to control externally provided products and services that have an impact on security.
Documentation
ISO 27001 clause 8.1 Operational planning and control requires writing the following documents:
- Documents that the company itself concluded are necessary for performing security processes
The following documents are not mandatory, and companies can decide whether to write them:
- Definition of criteria for security processes
- Change management policy
- Supplier security policy
Implementation
To put ISMS into practice according to clause 8.1 Operational planning and control means that the ISMS needs to start operating on a day-to-day basis.
This is done according to the following steps:
- Determine if there is a need for particular controls – in the Statement of Applicability.
- Define how these controls will be implemented – usually in terms of technology, people, and processes. Define also the criteria for those processes.
- If needed, create a document that describes the processes and criteria.
- Start operating the processes.
- Monitor the operation of the processes according to the set criteria.
Audit evidence
When auditing the ISO 27001 clause 8.1 Operational planning and control, the auditor might look for the following evidence:
- Documents that the company concluded are necessary for performing security processes.
- Records and observations that the company operations comply with those documents.
