What Is Clause 8.3?
ISO 27001 Clause 8.3 is about putting your security plans into action. After you find risks to your information, you need a plan to deal with them. This part of the rule says you must act on that plan. You also must keep records of what you did.
How to Treat Risks
There are a few ways to handle a risk:
- Make it better: You can use controls to lessen the risk.
- Share it: You can pass the risk to another group, like an insurance company.
- Stop it: You can end the action that causes the risk.
- Accept it: You can choose to live with the risk.
Putting Your Plan into Action
To meet this rule, you must be able to show that you are using your plan. This includes having proof of what you did. For example, you should show how you checked and fixed things. This helps you and an auditor feel sure that your plans are working.
Frequently Asked Questions
What does an auditor check?
An auditor will check for proof that your plans are being used. They will also look at how you decided to handle each risk. They want to see that you are using the right controls. They will also check to see if you have enough money and staff to do the work.
How do you keep records?
You can use a list or a special tool to keep records. You should also have meetings about risks and write down what you talked about. This helps you keep a clear record.
What is the goal of this rule?
The goal is to make sure you do more than just plan. You must also act on your plans to fix problems. This helps make your company’s data much safer.