ISO 27001:2022 Clause 8.1 Operational planning and control

ISO 27001:2022 13 Minutes

ISO 27001 Requirements

The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by:
— establishing criteria for the processes;
— implementing control of the processes in accordance with the criteria.
Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.

The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects. as necessary.
The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.

Let’s break down the key components:

  1. Planning:
    • The organization must engage in comprehensive planning to address information security requirements.
    • This planning involves considering the results of the risk assessment and treatment processes.
    • The organization should establish information security objectives that align with its overall business objectives.
  2. Implementation:
    • After planning, the organization needs to put the planned actions into practice. This involves the practical deployment of the measures and controls identified during the risk assessment and treatment.
    • Information security controls may include technical, procedural, or organizational measures aimed at mitigating risks.
  3. Control:
    • Control mechanisms must be established and maintained to ensure the ongoing effectiveness of the implemented measures.
    • Monitoring, reviewing, and, if necessary, adjusting the controls are integral parts of the control process.
  4. Alignment with Risk Assessment and Treatment:
    • The processes established and controlled should directly align with the outcomes of the risk assessment and treatment activities.
    • The organization needs to ensure that the selected controls adequately address the identified risks.

The organization shall plan, implement and control the processes needed to meet ISMS requirement requirements and implement actions determined by clause 6 of ISO 27001

Let’s break down the key components:

  1. Planning:
    • The organization must engage in comprehensive planning to address information security requirements.
    • This planning involves considering the results of the risk assessment and treatment processes.
    • The organization should establish information security objectives that align with its overall business objectives.
  2. Implementation:
    • After planning, the organization needs to put the planned actions into practice. This involves the practical deployment of the measures and controls identified during the risk assessment and treatment.
    • Information security controls may include technical, procedural, or organizational measures aimed at mitigating risks.
  3. Control:
    • Control mechanisms must be established and maintained to ensure the ongoing effectiveness of the implemented measures.
    • Monitoring, reviewing, and, if necessary, adjusting the controls are integral parts of the control process.
  4. Alignment with Risk Assessment and Treatment:
    • The processes established and controlled should directly align with the outcomes of the risk assessment and treatment activities.
    • The organization needs to ensure that the selected controls adequately address the identified risks.

It emphasizes the importance of a systematic and well-coordinated approach to operational planning and control. The organization should not only identify and analyze risks but also take concrete actions to mitigate or manage those risks. This process is dynamic, requiring ongoing assessment and adjustment to address changes in the organizational context and the evolving threat landscape. The ultimate goal is to ensure the confidentiality, integrity, and availability of information assets within the organization.

The organization must establish criteria for the processes.

When ISO 27001 refers to the organization establishing criteria for processes, it means defining specific parameters and standards against which the effectiveness and performance of those processes can be measured. This helps in ensuring that the processes are aligned with the organization’s objectives and requirements. Here’s how the organization can establish criteria for processes:

  1. Performance Criteria: Define measurable indicators that reflect the performance of each process. These indicators should be quantifiable, allowing for objective evaluation.
  2. Effectiveness Criteria: Establish criteria that determine how effectively each process is achieving its intended outcomes. This could include factors such as the reduction of identified risks, successful implementation of security controls, etc.
  3. Compliance Criteria: Ensure that the processes adhere to relevant legal, regulatory, and contractual requirements. Define criteria to measure and verify compliance with these requirements.
  4. Resource Utilization Criteria: Specify criteria for the optimal use of resources in the execution of processes. This involves ensuring that the processes are efficient and do not unnecessarily consume resources.
  5. Risk Management Criteria: Establish criteria related to the identification, assessment, and treatment of information security risks. Verify that risk management activities align with the organization’s risk tolerance and risk appetite.
  6. Continual Improvement Criteria: Set criteria for assessing the effectiveness of continual improvement processes. This involves monitoring how well the organization is learning from experiences and adjusting its processes accordingly.
  7. Security Controls Criteria: For processes related to the implementation of security controls, define criteria for the selection, implementation, monitoring, and review of these controls.
  8. Documented Information Criteria: Establish criteria for the creation, maintenance, and accessibility of documented information related to each process.

By establishing clear criteria for processes, the organization not only ensures that they are aligned with its information security objectives but also facilitates the ongoing monitoring and improvement of these processes. This is a fundamental aspect of the Plan-Do-Check-Act (PDCA) cycle, which is central to the ISO management system standards.

The organization implementing control of the processes in accordance with the criteria.

When an organization implements control of processes in accordance with established criteria, it is essentially executing the operational planning and control activities. Here’s a breakdown of what this involves:

  1. Execution of Planned Activities: The organization puts into action the planned activities and measures defined in the information security management system (ISMS) to meet the established criteria. This involves implementing security controls, risk treatment measures, and other actions identified during the risk assessment and treatment processes.
  2. Monitoring and Measurement: The organization continuously monitors and measures the performance of processes against the predetermined criteria. This involves using key performance indicators (KPIs) and other metrics to assess how well each process is functioning.
  3. Verification of Compliance: Ensuring that processes adhere to the specified criteria involves regular checks and audits to verify compliance. This includes assessing whether processes align with legal, regulatory, contractual, and internal requirements.
  4. Correction and Improvement: If discrepancies are identified during monitoring or if performance falls below the established criteria, corrective actions are taken. The organization actively seeks opportunities for improvement and makes adjustments to processes as needed.
  5. Documentation and Record Keeping: The organization maintains documented information that provides evidence of the planning, implementation, and control of processes. Records may include evidence of risk assessments, risk treatment plans, and the results of monitoring and measurement activities.
  6. Change Management: Changes to processes are managed in a controlled manner to ensure that modifications do not negatively impact information security. The organization assesses the potential impacts of changes and implements appropriate controls to manage these impacts.
  7. Continual Improvement: The organization fosters a culture of continual improvement, seeking ways to enhance the effectiveness and efficiency of information security processes. Lessons learned from incidents, monitoring activities, and audits are used to drive improvements.
  8. Communication and Training: Effective communication ensures that relevant stakeholders are informed about the status of processes and any changes. Training programs are implemented to ensure that personnel are equipped with the necessary skills and knowledge to execute their roles in accordance with information security requirements.

By implementing controls in line with established criteria, the organization demonstrates its commitment to managing information security effectively. This iterative process of planning, implementation, monitoring, and improvement is integral to the ongoing success of an ISMS based on ISO 27001.

Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.

To have confidence that processes in an Information Security Management System (ISMS) have been carried out as planned, it’s important to have appropriate documented information available. The specific documents may vary based on the organization’s size, complexity, and the nature of its operations, but here are some key types of documented information commonly required:

  1. Information Security Policy: A documented policy outlining the organization’s commitment to information security. It sets the direction and establishes the framework for the ISMS.
  2. Risk Assessment and Treatment Records: Documentation related to the identification, assessment, and treatment of information security risks. This includes records of risk assessments, risk treatment plans, and decisions made regarding risk acceptance.
  3. Statement of Applicability (SoA): A document that identifies the information security controls selected for implementation and the justification for their inclusion. The SoA is a key output of the risk assessment process.
  4. Procedure Documents: Step-by-step procedures for implementing specific security controls or carrying out key information security processes. For example, procedures for access control, incident response, or change management.
  5. Records of Training and Awareness Programs: Documentation of training and awareness activities conducted to ensure that personnel are informed and competent in their roles with respect to information security.
  6. Incident Response and Management Records: Documents outlining the organization’s approach to incident response, including procedures for reporting, investigating, and mitigating information security incidents.
  7. Monitoring and Measurement Records: Records of monitoring and measurement activities related to information security performance. This may include logs, reports, or other evidence of ongoing monitoring.
  8. Audit Records: Documentation of internal and external audits conducted to assess the ISMS. This includes findings, corrective actions taken, and evidence of improvements.
  9. Change Management Records: Documents related to changes in the information security environment, including change requests, impact assessments, and approvals. This ensures that changes are controlled and do not negatively impact security.
  10. Records of Management Reviews: Documentation of regular management reviews of the ISMS to ensure its continuing suitability, adequacy, and effectiveness. This may include meeting minutes, reports, and action plans.
  11. Records of Corrective and Preventive Actions: Documentation of corrective actions taken in response to incidents or nonconformities and preventive actions to avoid the recurrence of issues.
  12. Documented Information on Security Controls: Details about the implementation and operation of specific security controls selected by the organization, including configuration settings, access controls, and other relevant information.

Having these types of documented information available provides evidence that the organization has planned, implemented, and controlled its information security processes as required by the ISMS. It also supports transparency, accountability, and the ability to demonstrate compliance during internal and external assessments.

The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects. as necessary.

This statement reflects the importance of change control within the context of ISO 27001. Let’s break down the key elements of this requirement:

  1. Control of Planned Changes:
    • The organization is expected to have a formalized and controlled process for managing planned changes to its information security management system (ISMS).
    • This involves any modifications to processes, procedures, technologies, or other elements that may impact information security.
  2. Review of Consequences:
    • Before implementing planned changes, the organization must conduct a thorough review of the potential consequences.
    • This includes assessing how the changes might affect information security controls, risk levels, and overall ISMS effectiveness.
  3. Unintended Changes:
    • The organization must also be vigilant about unintended changes, which could occur due to system updates, personnel changes, or other factors.
    • Unintended changes may introduce new vulnerabilities or negatively impact established security measures.
  4. Mitigation of Adverse Effects:
    • If adverse effects are identified during the review of planned changes or as a consequence of unintended changes, the organization is required to take action to mitigate these effects.
    • This involves implementing corrective measures to address any negative impact on information security.
  5. Necessary Actions:
    • The organization should have a process in place to determine and implement necessary actions based on the consequences of changes.
    • This could involve revising risk treatment plans, updating security controls, or enhancing training programs.
  6. Practical Implementation:To fulfill this requirement, organizations typically establish a Change Management or Change Control process. This process often includes the following steps:
    • Change Request Submission: Individuals or departments proposing changes submit formal change requests. These requests detail the nature of the change, its purpose, and potential impacts.
    • Change Evaluation: A designated change control team evaluates the proposed changes, considering their potential effects on information security.
    • Risk Assessment: A risk assessment may be conducted to identify and assess potential risks associated with the proposed changes.
    • Approval Process:Changes are subject to an approval process that may involve relevant stakeholders, including information security professionals, management, and other relevant parties.
    • Documentation: Approved changes and associated risk assessments are documented. This documentation is critical for transparency and auditability.
    • Implementation: Changes are implemented according to an approved plan, with close monitoring to ensure that the intended changes align with security objectives.
    • Review and Monitoring: The organization continually monitors the changes to assess their effectiveness and any unintended consequences.
    • Mitigation of Adverse Effects: If adverse effects are identified, corrective actions are taken to mitigate the impact on information security.

By having a robust change control process, organizations can proactively manage changes to their information security environment, ensuring that the integrity, confidentiality, and availability of information assets are maintained. This process contributes to the overall effectiveness of the ISMS.

The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.

The requirement you’ve mentioned pertains to the control of externally provided processes, products, or services relevant to the Information Security Management System (ISMS). This is outlined in ISO 27001:2013 under Clause 8.4, which focuses on the control of externally provided processes, products, and services.

Here’s a breakdown of what this requirement entails:

  1. Identification of External Processes, Products, or Services:The organization must identify external processes, products, or services that are relevant to its ISMS.This involves understanding which aspects of information security are dependent on or influenced by external parties.
  2. Establishment of Controls: Controls must be established to ensure that externally provided processes, products, or services meet the organization’s information security requirements.The organization is responsible for defining the necessary controls to manage and mitigate risks associated with external providers.
  3. Risk Assessment: Conduct a risk assessment to identify potential security risks associated with externally provided processes, products, or services.Assess the impact of these external factors on the organization’s information security objectives.
  4. Contractual Agreements:Establish clear and comprehensive contractual agreements with external providers.Contracts should define information security requirements and expectations, including relevant security controls, confidentiality, and data protection measures.
  5. Monitoring and Review:Implement a monitoring and review process to ensure that external providers are meeting the agreed-upon security requirements.Regularly assess the performance of external providers in relation to information security.
  6. Security Criteria for External Providers:Define specific security criteria that external providers must meet.This may include requirements related to data protection, access controls, incident response, and other relevant security measures.
  7. Contingency Planning:Develop contingency plans to address potential disruptions in the provision of external processes, products, or services.Ensure that there are mechanisms in place to address information security concerns if external providers face challenges.
  8. Communication and Collaboration:Establish effective communication channels with external providers regarding information security matters.Collaborate to address and resolve security issues and ensure alignment with the organization’s security objectives.
  9. Practical Implementation:
    • Supplier/Provider Assessment:Assess the security practices of potential external providers before engaging in contractual agreements.
    • Security Requirements in Contracts:Clearly define information security requirements in contracts and service level agreements (SLAs).
    • Regular Audits and Assessments:Conduct regular audits or assessments of external providers to verify compliance with security controls.
    • Incident Response Coordination:Establish a coordinated incident response plan with external providers to address security incidents effectively.
    • Continuous Monitoring:Implement continuous monitoring of external providers’ performance and adherence to security requirements.
    • Documentation:Maintain documented information regarding the controls and measures in place for managing external providers.

By effectively controlling externally provided processes, products, and services, organizations can enhance the overall security posture of their ISMS. This is essential for ensuring that external factors do not compromise the confidentiality, integrity, and availability of sensitive information.

Example of procedure for Operational planning and control in ISMS

1. Purpose: The purpose of this procedure is to establish a systematic approach for planning, implementing, and controlling operational processes within the ISMS to ensure the confidentiality, integrity, and availability of information.

2. Scope: This procedure applies to all operational processes within the organization that are relevant to the ISMS.

3. Responsibilities:

  • Information Security Officer (ISO):
    • Overall responsibility for the implementation and effectiveness of operational planning and control.
  • Process Owners:
    • Responsible for the development, implementation, and continuous improvement of specific operational processes.
  • Employees:
    • Responsible for following established processes and reporting any deviations or security incidents.

4. Procedure Steps:

4.1. Identification of Operational Processes:

  • Define and document all operational processes relevant to information security.
  • Identify processes that may impact the confidentiality, integrity, and availability of information assets.

4.2. Risk Assessment and Treatment:

  • Conduct a risk assessment for each identified operational process.
  • Determine appropriate risk treatment measures to address identified risks.
  • Document the risk assessment and treatment plan.

4.3. Information Security Objectives:

  • Establish information security objectives for each operational process.
  • Ensure objectives are aligned with the organization’s overall business objectives and information security policy.

4.4. Operational Planning:

  • Develop operational plans for each identified process, outlining the steps and controls needed to achieve information security objectives.
  • Include resource requirements, timelines, and responsibilities in the operational plans.

4.5. Change Management:

  • Implement a change management process to control changes to operational processes.
  • Assess the impact of changes on information security and update plans accordingly.

4.6. Monitoring and Measurement:

  • Implement monitoring and measurement activities to track the performance of operational processes.
  • Define key performance indicators (KPIs) for each process.

4.7. Records Management:

  • Establish a records management system to maintain documentation related to operational planning, risk assessments, and performance monitoring.
  • Ensure records are retained as per the organization’s retention policies.

4.8. Incident Response and Corrective Action:

  • Develop and document incident response procedures for each operational process.
  • Establish corrective action procedures to address deviations from planned activities.

4.9. Review and Improvement:

  • Conduct regular reviews of operational processes to assess their effectiveness.
  • Use review findings to identify areas for improvement and implement necessary changes.

4.10. Communication:

  • Establish communication channels to ensure that relevant stakeholders are informed about operational plans, changes, and incident responses.
  • Encourage a culture of information security awareness.

5. Documentation:

  • Maintain documented information for each step of the procedure, including operational plans, risk assessments, incident response documentation, and records of reviews and improvements.

6. Training:

  • Provide training to employees involved in operational processes to ensure awareness and understanding of information security requirements.

Operational Plan for Information Security

1. Introduction:

  • Objective:
    • The objective of this operational plan is to ensure the effective implementation and continual improvement of information security controls within the organization.

2. Scope:

  • In-Scope Processes:
    • Identify the key operational processes within the organization that are relevant to information security.

3. Information Security Objectives:

  • Objective 1: Access Control Enhancement
    • Action Steps:
      • Review and update access control policies.
      • Implement two-factor authentication for critical systems.
      • Conduct awareness training on the importance of access controls.
  • Objective 2: Data Encryption Implementation
    • Action Steps:
      • Identify sensitive data requiring encryption.
      • Implement encryption mechanisms for data in transit and at rest.
      • Perform regular audits to ensure proper encryption practices.

4. Risk Treatment Plan:

  • Risk 1: Unauthorized Access to Systems
    • Treatment Measures:
      • Strengthen access controls.
      • Implement intrusion detection and prevention systems.
      • Conduct regular vulnerability assessments.
  • Risk 2: Data Breach
    • Treatment Measures:
      • Enhance data encryption practices.
      • Develop an incident response plan.
      • Conduct periodic drills to test incident response capabilities.

5. Change Management:

  • Change Procedure:
    • Steps:
      • Submission of change requests.
      • Change impact assessment.
      • Approval process.
      • Implementation of changes.
      • Post-implementation review.

6. Monitoring and Measurement:

  • Key Performance Indicators (KPIs):
    • Examples:
      • Number of security incidents reported per month.
      • Percentage of systems with updated antivirus definitions.
      • Time taken to resolve critical security vulnerabilities.

7. Incident Response:

  • Incident Categories:
    • Categories:
      • Unauthorized access.
      • Malware infections.
      • Data breaches.
  • Response Procedures:
    • Steps:
      • Incident identification and reporting.
      • Incident analysis and containment.
      • Eradication of the incident.
      • Recovery of affected systems.
      • Post-incident review and documentation.

8. Communication Plan:

  • Communication Channels:
    • Channels:
      • Internal notifications through email.
      • Urgent announcements on internal collaboration platforms.
      • Periodic updates during team meetings.

9. Training and Awareness:

  • Training Programs:
    • Topics:
      • Phishing awareness.
      • Secure use of company systems.
      • Incident reporting procedures.
  • Frequency:
    • Regular mandatory training at onboarding and annually thereafter.

10. Continuous Improvement:

  • Review Process:
    • Frequency:
      • Quarterly reviews of operational processes.
    • Improvement Actions:
      • Update policies and procedures based on lessons learned.
      • Implement efficiency improvements in security controls.

11. Documentation:

  • Records:
    • Maintain records of risk assessments, change requests, incident reports, and training sessions.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply