ISO 27001 Information Security - Clause 8 Operation

ISO 27001 Clause 8 Operation
ISO 27001 Clause 8 Operation - Putting it into practice

4th November 2022 - ISO 27001 Information Security in plain English - Blog post #15.

ISO 27001 - Clause 8 Operation.

Putting it into practice

This clause follows a natural progression from the previous clauses. Having identified the actions necessary to address risk, set objectives, established a risk assessment / treatment methodology (for clause 6), and provided support mechanisms (for clause 7), the next step is to put it into practice. ISO 27001 Clause 8 Operations falls into the DO Quadrant of the PDCA (Plan-Do-Check-Act) cycle. The following sections will explain that in more detail.

8.1 Operational planning and control

The requirement here is to plan the processes needed to ensure information security and in particular, to put in place the actions considered necessary to address risk and meet objectives.

It's important to manage changes (both planned and unplanned), and retain appropriate records of the processes.

You should determine what processes are outsourced to others, and ensure that appropriate controls are in place over those processes. This requirement also relates to the Annex A control for Supplier Relationships. We'll discuss that in later blog in this series.

8.2 Information security risk assessment

In developing an ISMS, a process should have been determined  for assessing risk (see previous blog Clause 6.1 Actions to address risk and opportunities). That process now needs to be implemented. A thorough programme of risk assessments should take place initially, and then as part of project management, when changes occur, and at planned intervals. Records of the assessments must be retained.

Qudos 3 clients should use the software's dedicated Risk module for this purpose. A Risk Register is automatically created and updated when completing risk assessments.

Others will need to develop a process and the necessary documentation / methodology.

As with any other process, those responsible for the assessment of risk need to be competent to perform the task. At the very least, they need to have an understanding of the subject matter, be aware of your business rules and guidelines for assessment, and be trained on any resources or software to be used.

8.3 Information security risk treatment

Similarly, this follows on from a relevant section in Clause 6 (see earlier blog Clause 6.1 Actions to address risk and opportunities). Having established a plan with risk treatment options, that plan now needs to be implemented.

Qudos 3 clients can summarise controls required in the software's Risk Assessment form. Automatic links may be used to generate Action plans to assign responsibility, and initiate and record the treatment.

Once again, others will need to develop a process and the necessary documentation / methodology.

To a great extent, the treatment of risks will take place with the application of controls including those listed in ISO 27001's Annex A.  control for Supplier Relationships. we'll cover those controls in later blogs in this series.  Follow us using the button below to receive notifications when they are released.

About the series 'ISO 27001 Information Security in plain English'

This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Now updated for the latest version of the standard - ISO 27001:2022.

Click the LinkedIn Follow button below to receive notifications.


There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business a

Ready to start your journey to ISO 27001?

The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.

Contact us today to discuss your needs!

ISO 27001 InfoSec Toolkit
Qudos 3 software has integrated Risk and Action modules