ISO 27001 Clause 8.1 – Operational planning and control
This clause is very easy to demonstrate evidence against if the organisation has already ‘showed its workings.’
In developing the information security management system to comply with requirements 6.1, 6.2 and in particular 7.5 where the whole ISMS is well structured and documented, this also achieves 8.1 at the same time. It is about planning, implementation and control to ensure the outcomes of the information security management system are achieved.
Smart organisations going through their planning and early implementation of the information security management system with ISO 27001 certification in mind will also conduct management reviews in line with clause 9.3. We recommend these management reviews for information security happen weekly in the early stages to maintain momentum and build the habit, then stabilise to less frequent periods after the stage 1 audit. Whilst not all the 9.3 standard agenda items can be demonstrated during implementation, administrators can note what has been achieved, what is planned next. It will give independent auditors confidence the organisation is planning well, showing consideration to its spirit of the standard as well as practicing management reviews too.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement