ISO 27001 clause 8 is called “Operation” — this clause defines requirements for regular re-assessment and treatment of risks, as well as the implementation of controls and other processes needed to protect the information.
This clause is important because it defines how the ISMS is used on a daily basis.
Clause 8 has three sub-clauses:
- Clause 8.1 — Operational planning and control — it requires defining criteria for security processes and controlling those processes according to the criteria, in order to implement processes to satisfy the ISMS requirements; further it requires controlling planned changes, and impact analysis of unexpected changes, to be able to take actions to mitigate negative effects if necessary; finally, this clause requires companies to control externally provided products and services that have an impact on security.
- Clause 8.2 — Information security risk assessment — it requires risk assessments to be performed at planned intervals or according to the criteria defined in the Risk Assessment Methodology.
- Clause 8.3 — Information security risk treatment — it requires Risk Treatment Plan to be implemented.
