Part 21 - Clauses 8.1, 8.2 and 8.3 Operational Planning and Control, Information security risk assessment & Information security risk treatment
The Clauses 8.1-8.3 are where we implement (or do) all the planning that went into identifying the controls and objectives needed for your Information Security Management System (ISMS) way back in clause 6.1 and clause 6.2.These are the day-to-day operations of your ISMS. This is how you actually use your procedures and controls to carry out your everyday tasks.
8.1 Operational planning and control
We’ll start off with 8.1 Operational planning and control.
The main takeaway from this clause is that you need to implement the things necessary to meet your information security requirements (remember these are controls that you identified as part of your ISMS planning).
You also need to be able to show that you’re taking steps towards achieving the objectives that you’ve set.
One of the best ways to demonstrate that you’re meeting these requirements is with records. For instance, if you say that you’re going to put a control in place that requires a monthly review and a sign off – then you should be able to show evidence such as a findings report, sign off sheet, logs etc...
You need to think about how you would handle change. Whether it is planned or unexpected. We all know that sometimes things just happen and that’s OK – it’s what happens next that matters. To satisfy the standard you must be able to show that you’ve identified any effects the change may have on your systems, that you’ve put some actions in place to help lessen any impacts. Of course that has to be documented!
How did Mango achieve this?
Within our own IMS manual we have created chapters that focus on the operations side of our business processes. We’ve ensured that our procedures and policies align with the actions and controls identified within the 27001 standard. Refer to our previous blogs on 6.1 Actions to address risks and opportunities and 6.2 Information security objectives for tips on this.
Then we need to show that we’re doing what we say we are doing. For this we create records. We use our Event Management module to remind us of scheduled reviews, meetings audits etc. and then we’re able to save the evidence of these to the same events. This enable us to go back through months of management review minutes or back up logs. It’s a really easy way to quickly identify when something isn’t working and we can make the necessary changes to stay on top of the ISMS requirements.
8.2 Information security risk assessment
Next up is 8.2 Information security risk assessment.
In clause 6.1.2 the standard requires you to define and apply an information security risk assessment. Well 8.2 is all about actually performing that assessment – and that’s about it!
Carry out the risk assessments in line with your process, schedule these on a regular basis and adhoc too if needed, and of course, document your findings.
For Mango we went through a 3-step process to risk assess our information security.
Firstly, we identified our assets. Secondly, we determined the information outputs from those assets. Then finally we classified that information and set a priority on that information. For example, financial records and passwords were classified as “secret”. These then received a high priority or high risk score. Extra controls are in place to secure those.
8.3 Information security risk treatment
Finally we have 8.3 Information security risk treatment.
This requires you to implement the information security risk treatment plan that was defined back in clause 6.1.3 – and as always record the results of any findings.
It’s important that the risk treatment process is carried out after each security risk assessment to ensure that the correct mitigations are in place.
At Mango after the risk assessment, the risks were transferred onto an Information Security Risk Register and the controls/treatments were determined. The controls listed in Annex A of ISO 27001 were a great guidance for Mango. These were then implemented based on the priority set previously. High priority risks were implemented first. And so on.
So there you have it. It is straight forward. Just implement the risk controls and objectives that you created back in 6.1.1 and 6.1.2.
- Plan the implementation of the controls/treatments of your risks.
- Implement the controls.
- Ensure that you have change management processes in place to manage the changes that will occur.
- Make sure you have records to prove that you are meeting the controls and the objectives.
View previous blogs in this series "ISO 27001 Information Security Management Standard":