The clauses 8.1-8.3 are all the planning that went into identifying the controls and objectives needed for your Information Security Management System (ISMS) in clause 6.1 and clause 6.2 are implemented.
These form the day-to-day operations of your ISMS. This is how and where you use your procedures and controls to carry out your everyday tasks.
We’ll start off with 8.1 Operational planning and control.
The main thing to take from this clause is that you need to implement the things necessary to meet your information security requirements. These are controls that you identified as part of your ISMS planning.
You also need to be able to show that you are taking steps towards achieving the objectives that you’ve set.
One of the best ways to demonstrate that you’re meeting these requirements is with records. For example, if you say that you’re going to put a control in place that requires a monthly review and a sign off – then you should be able to show evidence such as:
You need to think about how you want to handle change. This includes changes that are planned or unexpected. Everybody knows that sometimes things just happen. That’s fine – it’s what happens next that matters.
To satisfy the standard you must
Naturally, that has to be documented so that there is evidence of what you did!
In our experiences, the most common way we see this is clients creating chapters within their ISMS manual that focus on the operational side of the business processes. When doing this, ensure that your procedures and policies align with the actions and controls identified within the 27001 standard. Our previous blog on Clause 6: Risks, Opportunities, Objectives and Plans has advice on this.
Then you need to show that you’re doing what you say you are doing. For this you should create records. Use an Event Management product, or calendar to remind you of scheduled reviews, meetings, audits etc. and then create a folder or other location for each meeting / event within your document management system to save and store the evidence of these events. This enables you to go back through months of management review minutes or back up logs. It’s a really easy way to quickly identify when something isn’t working and you can make the necessary changes to stay on top of the ISMS requirements. As an added bonus, everything will be in a single place when it comes time for the ISMS audits!
Next is clause 8.2 Information security risk assessment.
In clause 6.1.2 the standard requires you to define and apply an information security risk assessment. Clause 8.2 is about performing that assessment. That’s about it!
Carry out the risk assessments in line with your process, schedule these on a regular basis and ad hoc too if needed, and of course, document your findings.
To do this, you can use the following 3-step process to risk assess your information security.
For example, personal information, financial records and passwords can be classified as “secret”. These should then receive a high priority or higher risk score. Extra controls should be put in place to secure those.
When classifying information, don’t forget about any intellectual property or proprietary information that your organisation uses to distinguish themselves from competitors. Often, we see these under classified. Think about what would happen if a competitor was to obtain the information.
Finally there is 8.3 Information security risk treatment.
This requires you to implement the information security risk treatment plan that was defined back in clause 6.1.3. As with all things ISO 27001, ensure you record the results of any findings.
It’s important that the risk treatment process is carried out after each security risk assessment to ensure that the correct mitigations are in place.
After the risk assessment, the risks should be transferred onto an Information Security Risk Register and the controls/treatments were determined. The controls listed in Annex A of ISO 27001 are a great guide. Others can be found in information security frameworks provided by NIST, and in the Australian Cyber Information Security Manual (ISM) and New Zealand ISM, among others. Using a combination of control lists offers a more thorough control set to select from, so you can more accurately target and defend against the threats and risks that are most important to your particular organisation and industry.
The selected controls can then be implemented based on the priority set previously. High priority risks can be implemented first. And so on.
So, there you have it. It is all straight forward really. Just implement the risk controls and objectives that you created back in 6.1.1 and 6.1.2.
DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.
