Clause 8: Operation

Clause 8 requires businesses to implement the risk treatment plan that should have been developed during clause 6. In addition, it asks organizations to set controls and processes in place to help work toward achievement of their cyber and information security objectives. Clause 8 is broken down into three subclauses.

Clause 8.1: Operational Planning & Control

Clause 8.1 should be easy to demonstrate if your organization has implemented the  requirements of the previous clauses properly and is monitoring them. Overall, the organization needs to plan, implement and control the processes needed to meet the ISMS, implement the actions determined in 6.1 and also implement plans to achieve the information security objectives set forth in 6.2. In addition, the organization must keep documented information (7.5) to the extent necessary to ensure that the processes are being carried out as planned. Overall, it is about planning, implementation and control to ensure the outcomes of the information security management system are achieved. 

Clause 8.2: Information Security Risk Assessment

Clause 8.2 is another requirement that should be automatically completed if the organization is carefully following other requirements (specifically 6.1.2). Overall, the organization is required to perform information security risk assessments at planned intervals and retain documented information of the results of the risk assessments.

Clause 8.3: Information Security Risk Treatment

Clause 8.3 states that the organization must implement the information security risk treatment plan and retain documented information on the results of that risk treatment. The purpose of the requirement is to ensure that the risk treatment process described in 6.1 actually takes place. 

Under clause 8.3, the requirement is for the organisation to implement the information security risk treatment plan and retain documented information on the results of that risk treatment.

Please note that certain text from the ISO 27001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.


Our All-in-One Certification Package is a proven, efficient system. It gives you all you need to prepare for certification – in one simple to use package.

Customer Review:

"I have just passed my Audit with zero non-conformances for the second year in a row using your ISO products to write my entire QMS. Thank you for producing documents of this quality"

Bettye Patrick

Buy the Standard

27001 Store Logo  ISO 27001:2022