What does Clause 8 require?
Clause 8 is the “Do” phase of the PDCA cycle. While Clause 6 defines how to plan your risk management activities, Clause 8 requires you to actually execute those plans in day-to-day operations. It is a deliberately concise clause with three sub-clauses that focus on putting plans into action.
8.1 Operational planning and control
The organisation shall plan, implement and control the processes needed to meet PIMS requirements and to implement the actions determined in Clause 6, by:
- Establishing criteria for the processes — Defining what “good” looks like for each operational process
- Implementing control of the processes — Applying the criteria in practice through procedures, work instructions and controls
- Keeping documented information — Retaining evidence that processes have been carried out as planned
The organisation must also control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects as necessary.
Where processes are externally provided (outsourced), the organisation must ensure these are controlled. This is particularly relevant for PII processing, where outsourced activities may involve subcontractors handling personal data on your behalf.
8.2 Privacy risk assessment
The organisation shall perform privacy risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in Clause 6.1.2.
This means the risk assessment is not a one-off activity. It must be repeated:
- At planned intervals — Most organisations set an annual cycle, though higher risk environments may require more frequent assessment
- When changes occur — New processing activities, system changes, regulatory updates, organisational restructuring or security incidents should trigger a reassessment
- When changes are proposed — Proactive assessment before changes are implemented, not just reactive assessment afterwards
The results of privacy risk assessments must be retained as documented information.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
8.3 Privacy risk treatment
The organisation shall implement the privacy risk treatment plan. The results of privacy risk treatment must be retained as documented information.
While this sub-clause is brief, its implications are significant. It requires you to:
- Execute all treatment actions defined in your risk treatment plan from Clause 6.1.3
- Implement the controls identified in your Statement of Applicability
- Monitor the implementation status of treatment actions
- Document the results, including any residual risks remaining after treatment
Auditors will compare your risk treatment plan (from Clause 6) with the actual implementation evidence (from Clause 8) to verify that plans have been followed through.
How does this relate to GDPR?
- Article 32 — Security of processing, requiring implementation of appropriate technical and organisational measures. Clause 8.3 is where these measures are put into practice
- Article 35 — Data Protection Impact Assessments (DPIAs) align with the ongoing risk assessment requirement in 8.2
- Article 28(1) — Processor requirements for sufficient guarantees, supported by the externally provided processes controls in 8.1
- Article 24 — Controller responsibility to implement appropriate measures and review/update them where necessary
What changed from ISO 27701:2019?
- Standalone operational requirements — In 2019, Clause 5.6 supplemented ISO 27001 Clause 8. Now the operational requirements are self-contained
- Privacy risk terminology — The 2025 edition uses “privacy risk assessment” and “privacy risk treatment” explicitly, making the privacy focus clear
- Externally provided processes — Greater emphasis on controlling outsourced processes, reflecting the reality that many organisations rely on third parties for PII processing
- Change control — Explicit requirements to control planned changes and review unintended changes
See the Annex F correspondence table for the full mapping.
What evidence do auditors expect?
- Operational procedures — Documented procedures for PII processing activities with defined criteria and controls
- Process monitoring records — Evidence that operational processes are monitored and controlled against defined criteria
- Risk assessment records — Completed risk assessments at planned intervals and triggered by changes
- Risk treatment implementation — Evidence that treatment actions have been implemented as planned, with status tracking
- Change records — Documentation of planned and unintended changes, including impact assessment and mitigation actions
- Supplier/outsourcing controls — Evidence that externally provided processes are identified and controlled
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Related clauses
| Clause | Relationship |
|---|---|
| Clause 6: Planning | Clause 8 implements the risk assessment methodology (6.1.2) and risk treatment plan (6.1.3) defined in Clause 6 |
| Clause 7: Support | Operational processes depend on the resources, competence and documentation defined in Clause 7 |
| Clause 9: Performance Evaluation | Monitoring and internal audit evaluate whether operations are being carried out as planned |
| Clause 10: Improvement | Operational nonconformities identified in Clause 8 feed into the corrective action process |
| Annex A Controls | The controls from your SoA are implemented through Clause 8 operational processes |
Why choose ISMS.online for Clause 8 compliance?
ISMS.online provides operational tools for running your PIMS day to day:
- Risk assessment scheduling — Set planned intervals for risk assessments with automated reminders and change-triggered reassessment workflows
- Treatment plan tracking — Monitor the implementation status of every risk treatment action with owner assignments and deadlines
- Process control — Document and manage operational procedures with criteria, work instructions and evidence collection
- Supplier management — Track externally provided processes with due diligence records and ongoing monitoring
- Change management — Record planned and unintended changes with impact assessment and mitigation tracking
FAQs
How often should privacy risk assessments be performed?
The standard requires assessments at “planned intervals” without specifying a frequency. Most organisations conduct a comprehensive review annually, with additional assessments triggered by significant changes. The planned interval should be documented as part of your risk assessment methodology in Clause 6.1.2 and should be proportionate to the volume and sensitivity of PII you process.
What counts as a “significant change” that triggers reassessment?
Examples include introducing new processing activities or systems, changing subcontractors or cloud providers, entering new markets or jurisdictions, regulatory changes (such as new data protection laws), organisational restructuring, and security incidents or data breaches. Your risk assessment methodology should define criteria for what constitutes a significant change in your context.
How do you control externally provided processes?
Through a combination of contractual controls (data processing agreements), due diligence assessments, ongoing monitoring and audit rights. You should maintain a register of externally provided processes, assess each provider’s privacy controls, include appropriate contractual clauses and periodically review their performance. See the A.3 shared controls for specific supplier management requirements.
