ISO 27001 Clause 8.1 Operational Planning and Control: Certification Body Guide

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 8.1 Operational Planning and Control is an operational control that requires organisations to establish criteria for information security processes. It mandates the implementation of these processes according to those criteria. It also demands management of planned changes and the control of any outsourced security processes.

ISO 27001:2022 Attributes

Attribute Type Value
Control Type #Operational
Information Security Properties #Confidentiality #Integrity #Availability
Cybersecurity Concepts #Identify #Protect
Operational Capabilities #Governance #AssetManagement

Implementation Difficulty & Cost

Metric Rating
Implementation Difficulty 4/5 (Requires deep operational integration)
Resource Cost Moderate (Often involves staff time and tool configuration)
Owner CISO / Operations Manager
Accountability Cascade COO > CISO > Process Owners > IT Staff

ISO 27002 Control Guidance

Physical operational controls involve ensuring that your site security matches your documented plans. In my experience, I look for site-specific operating procedures that tell staff exactly how to handle visitors or secure entry points. If your plan says “Secure the Perimeter,” I expect to see specific tasks in your facilities log. You must prove that the physical security process is not just a policy but a daily habit.

Technical control focuses on the configuration and monitoring of your security tools. I often find that companies have expensive software like Intune or Defender but no defined criteria for their operation. You must document what an “acceptable” configuration looks like. This criteria allows your technical teams to verify that systems remain secure. Without these markers, your technical operations are essentially unmanaged.

Behavioural guidance requires that staff follow the processes you have built. I check if employees understand their specific roles within the operational workflow. If a process requires a manual approval in Jira, I verify that the person approving actually understands what they are signing off. Security culture fails when people treat operational controls as “admin work” rather than a security necessity.

The Auditor’s Eye (Expert Insight)

In my 20 years of auditing, Clause 8.1 is where the “paper tigers” are caught out. I don’t just want to see a policy folder. I want to see the “Living ISMS.” When I conduct a “Camera Walkthrough” or a remote screen-share, I am looking for the bridge between your risk assessment and your daily tasks. If you identified “Unauthorised Access” as a high risk in Clause 6.1, I expect Clause 8.1 to show the specific criteria and Jira workflows you use to stop it.

I often perform Log Reviews to see if your operational reality matches your claims. If your change management policy says every change needs a rollback plan, I will pull five random tickets from last month. If those tickets don’t have that plan, it is a Non-Conformity (NC). Do not try to hide behind automated SaaS dashboards. If your team cannot explain why a “Green Tick” exists, I will record a failure in operational control.

10 Steps to Implement Operational Planning and Control

  1. Define Process Acceptance Criteria

    Go beyond general statements. Use Confluence to document exactly what a “pass” look like for your security tasks. For example, specify that a vulnerability scan is only “complete” when all high-risk items are ticketed in Jira. This sets the standard for your entire operations team.

  2. Establish Documented Operational Procedures

    Write down how tasks are done. These should be stored in SharePoint or a central wiki. Avoid long, unreadable manuals. Use flowcharts and checklists that staff can actually use while they work. I prefer seeing these integrated into your primary document repository.

  3. Allocate Sufficient Resources

    Operational control is impossible if your team is too small. I check if you have assigned specific people to security tasks. If your “Security Lead” also manages HR and Sales, you have a resource problem. Document these allocations in your organisational chart.

  4. Map Security Requirements to Jira Workflows

    Build your security criteria into your daily tools. If a change requires security approval, make it a mandatory field in Jira. This forces compliance without relying on human memory. It creates an automatic audit trail that I can verify in seconds.

  5. Implement a Formal Change Management Process

    Every planned change needs an impact assessment. Use a standard template in SharePoint to record what might go wrong. This is not just for IT changes; it applies to business process changes too. I look for the “Security Approval” stamp on these records.

  6. Identify and Control Unintended Consequences

    When a change happens, things break. You must have a process to review these side effects. If a firewall update stops a business app, show me the record of how you fixed it and reviewed the security impact. This proves you are in control of the environment.

  7. Establish Outsourced Process Controls

    You can outsource the work, but not the accountability. List every supplier that handles your data in a SharePoint vendor register. Define the specific security tasks they must perform. I want to see how you monitor their performance against your criteria.

  8. Perform Regular Operational Reviews

    Check your own work. Conduct monthly meetings to see if processes are following the criteria. Record these minutes. If you find a process is failing, document the corrective action. This shows me that your ISMS is self-correcting and active.

  9. Manage Documented Information for Evidence

    If it isn’t written down, it didn’t happen. Ensure all logs, tickets, and minutes are stored in a version-controlled environment. Use SharePoint permissions to ensure these records cannot be altered. I check these timestamps to ensure they are authentic.

  10. Train Staff on Operational Responsibilities

    Ensure every person knows their specific “Security Gate.” Conduct short sessions to explain why the criteria exist. If staff know the “Why,” they are less likely to bypass the control. Record these training sessions in your skills matrix.

Requirements by Environment

  • Office Environment: Focus on physical access logs, clean desk checks, and visitor management procedures. Criteria should include “All visitors must be escorted” and “Laptops must be locked when away from desks.”
  • Home Environment: Operational control here relies on technical enforcement. Use Intune to ensure devices meet your criteria before they can connect. Your procedures must include home-office security requirements like router password standards.
  • Cloud Environment: Control is managed through Infrastructure as Code (IaC) and automated pipelines. Criteria are defined as security guards in your CI/CD flow. I expect to see evidence that code is rejected if it does not meet security benchmarks.

The “Checkbox Compliance” Trap

Requirement SaaS Tool Trap Auditor Reality
Process Criteria Generic “Status: Active” dashboard tick. A Confluence page defining specific SLAs and technical thresholds.
Change Management A button that says “Change Approved.” A SharePoint record showing an impact assessment and rollback plan.
Outsourced Control Assuming the AWS SOC2 report is enough. A Jira ticket showing you reviewed the supplier’s performance last month.

10 Steps to Audit Clause 8.1 (Internal Audit Guide)

  1. Request Process Criteria: Ask the CISO to show the criteria for three core security processes. If they point to a high-level policy, it’s a fail.
  2. Verify Jira Integration: Check if security gates are actually built into project or IT tickets. Look for “Security Reviewed” flags.
  3. Sample Change Records: Pick five changes from the last quarter. Look for documented impact assessments.
  4. Inspect Outsourced Logs: Ask for evidence of how a specific third-party service is being monitored. Look for a vendor review record.
  5. Check for Unintended Consequences: Ask for an example of a change that went wrong. Review the documentation of how it was handled.
  6. Review Resource Sufficiency: Look at the staff assigned to security tasks. Verify they have the time and skills to execute the processes.
  7. Validate Document Control: Check that operational procedures in SharePoint are up to date and approved.
  8. Interview Process Owners: Ask an IT Admin how they know their work meets security standards. Their answer should match the criteria.
  9. Examine Meeting Minutes: Review the last three operational security meetings. Look for discussions on process performance.
  10. Check for “Shadow Processes”: Look for security tasks happening outside the documented system. These are uncontrolled risks.

8.1 Audit Evidence Checklist

Evidence Item Pass/Fail Criteria Owner
Process Acceptance Criteria Must be specific, documented, and approved. CISO
Change Request Records Must include impact analysis and security sign-off. IT Manager
Vendor Security Register Must list controls for all outsourced processes. Procurement
Jira Workflow Audit Logs Must show security gates were passed for each ticket. DevOps Lead

Required Policy Content: A Lead Auditor’s Checklist

  • Operational Planning Clause: Must define how the organisation sets criteria for its processes. It must link directly to the risk treatment plan.
  • Change Management Section: Must detail the steps for assessing impact and obtaining authorisation for all planned changes.
  • Outsourcing Control Clause: Must define how external suppliers are selected and monitored. It must state that the organisation remains accountable.
  • Unintended Change Review: Must explain the process for mitigating the negative effects of unplanned changes.
  • Resource Provisioning: Must state that management is responsible for providing the tools and staff needed for operational control.

What to Teach Employees

  • Operational Boundaries: Understanding what a “Security Gate” is and why it cannot be bypassed.
  • Change Reporting: How to use the SharePoint change request form correctly.
  • Supplier Escalation: What to do if an outsourced provider fails to meet security criteria.
  • Evidence Collection: How to properly log security tasks in Jira to satisfy an auditor.

Enforcement and Consequences

Operational planning is the foundation of your ISMS. Failure to follow these processes is a serious breach of policy. I recommend a Verbal Warning for first-time accidental bypasses of security gates. Written Warnings should follow for repeat offences or failure to document changes. Termination is appropriate for deliberate “Shadow IT” operations that bypass security criteria to hide fraud or incompetence.

Common Implementation Challenges

Challenge Root Cause Solution
Vague Criteria Policy written by HR/Legal, not IT. Let technical teams write the criteria in Confluence.
Bypassing Change Control Process is too slow for developers. Automate the security checks within Jira workflows.
Vendor Dark Spots No one is checking the supplier logs. Schedule a recurring Jira task for vendor review.

Sample Statement of Applicability (SoA) Entry

“Clause 8.1 is applied to ensure all security processes follow defined criteria derived from our risk assessment. We manage operational planning through our SharePoint document repository and Jira workflows. All changes are subject to impact assessments, and outsourced processes are controlled through our Vendor Security Policy and regular audits.”

Changes from ISO 27001:2013

ISO 27001:2013 ISO 27001:2022
Focused on planning and control of processes. Enhanced focus on criteria for processes.
Lesser focus on outsourced processes. Explicit requirement to control outsourced processes.

How to Measure Effectiveness (KPIs)

  • Change Success Rate: Percentage of planned changes implemented without security incidents (Target: >95%).
  • Criteria Compliance: Number of operational tasks found to be non-compliant with Confluence criteria during internal audits (Target: <2 per month).
  • Vendor Audit Completion: Percentage of high-risk suppliers reviewed against security criteria in the last 12 months (Target: 100%).

Clause 8.1 FAQ

What is “Process Criteria”?

Criteria are the specific requirements or standards a process must meet to be considered secure. For example, “Every new user must have a background check before getting login credentials.”

Does this apply to small startups?

Yes. Even a small team must have criteria for how they manage their cloud environment and handle customer data. The complexity changes, but the requirement stays.

How do I control a vendor like AWS or Microsoft?

You cannot control their internal processes, but you control how you use them. Your criteria should cover your configuration of their services and how you review their security reports.

Is “Change Management” only for software?

No. It applies to any change that impacts security, such as moving offices, changing your ISP, or restructuring the IT team.

What is an “Unintended Change”?

This refers to the side effects of a planned change. For example, if you install a security patch and it accidentally disables a logging service, that is an unintended change you must manage.