ISO 27001 Clause 8.1

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 is a well-known standard around the world that tells you what to do to keep your important information safe. Think of it as a set of instructions to help protect your organisation’s key data.

Clause 8 of ISO 27001 is about how your information security management system (ISMS) works day-to-day. It includes what you need to do to plan, put in place, and manage the processes used to look after information security.

Within Clause 8, you’ll find 8.1, which is about planning and controlling operations. This part of the standard says that organisations need to carefully plan, carry out their plans, and keep an eye on processes to make sure they meet information security needs.

This clause is quite easy to prove you’re meeting if your organisation has already ‘shown how it works’. When you develop your ISMS to follow the rules in sections 6.1, 6.2, and especially 7.5 (where the whole ISMS is well organised and written down), you also meet the requirements of section 8.1 at the same time.

What is ISO 27001 Clause 8.1?

The organisation shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in clause 6 by
– establishing criteria for processes
– implementing control of the processes in accordance with the criteria
Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.
The organisation shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.
The organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled

ISO 27001:2022 Clause 8.1 Operational Planning and Control

What is clause 8 of ISO 27001 about?

Clause 8 of ISO 27001 is about these things:

  • Planning, putting in place, and managing the steps needed to meet information security rules.
  • Watching and checking how the ISMS is working.
  • Keeping the ISMS going and making it better.

What does Clause 8.1 involve?

It’s about planning, putting things into action, and keeping control to make sure the information security management system achieves its goals.

Smart organisations that are planning and starting to set up their information security management system with ISO 27001 certification in mind will also do management reviews as described in clause 9.3. We suggest doing these information security management reviews weekly at the beginning to keep things moving and build the habit. After the first audit stage, you can do them less often.

Even though you won’t be able to show all the things listed in the 9.3 standard during the early stages, the people in charge can note what has been done and what is planned next. This will give the independent auditors confidence that the organisation is planning well, showing that it understands the purpose of the standard and is also practicing management reviews.