Clause 8: Operation
Clause 8 requires businesses to implement the risk treatment plan that should have been developed during clause 6. In addition, it asks organizations to set controls and processes in place to help work toward achievement of their cyber and information security objectives. Clause 8 is broken down into three subclauses.
Clause 8.1: Operational Planning & Control
Clause 8.1 should be easy to demonstrate if your organization has implemented the requirements of the previous clauses properly and is monitoring them. Overall, the organization needs to plan, implement and control the processes needed to meet the ISMS, implement the actions determined in 6.1 and also implement plans to achieve the information security objectives set forth in 6.2. In addition, the organization must keep documented information (7.5) to the extent necessary to ensure that the processes are being carried out as planned. Overall, it is about planning, implementation and control to ensure the outcomes of the information security management system are achieved.
Clause 8.2: Information Security Risk Assessment
Clause 8.2 is another requirement that should be automatically completed if the organization is carefully following other requirements (specifically 6.1.2). Overall, the organization is required to perform information security risk assessments at planned intervals and retain documented information of the results of the risk assessments.
Clause 8.3: Information Security Risk Treatment
Clause 8.3 states that the organization must implement the information security risk treatment plan and retain documented information on the results of that risk treatment. The purpose of the requirement is to ensure that the risk treatment process described in 6.1 actually takes place.
Under clause 8.3, the requirement is for the organisation to implement the information security risk treatment plan and retain documented information on the results of that risk treatment.
Please note that certain text from the ISO 27001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.