Your-ultimate-guide-to-ISO-27001-Certification-Background

Navigating ISO 27001

ISO 27001 Clause 8.1: Operational planning and control

ISO 27001 made easy: A comprehensive guide to understanding the standard 

Get your free guide

 

Get your free guide

Overview: ISO 27001 requirement 8.1

  1. Introduction

  2. What is the purpose of clause 8.1 operational planning and control?

  3. What is clause 8 of ISO 27001 concerned with?

  4. What are the requirements of clause 8.1 of the standard?

  5. Clause 8.1 on ISO 27001:2013 vs. ISO 27001:2022

  6. Conclusion 

ISO 27001 stands as a globally recognized standard that outlines what you need to do to protect your valuable information. It's like a playbook of guidelines designed to safeguard your organisation's critical data.

Clause 8 of ISO 27001 concerns the operation of the information security management system (ISMS). It includes requirements for planning, implementing, and controlling the processes that are used to manage information security.

Within Clause 8, you'll come across 8.1, which deals with operational planning and control. This part of the standard requires organisations to carefully plan, put their plans into action, and oversee processes to meet information security requirements.

 

What is the purpose of clause 8.1 operational planning and control?

The purpose of clause 8.1 is to ensure that the organisation has a systematic approach to managing its information security risks. By planning, implementing, and controlling the processes that are used to manage information security, you can reduce the likelihood and impact of security incidents.

 

What is clause 8 of ISO 27001 concerned with?

Clause 8 of ISO 27001 is concerned with the following:

  • Planning, implementing, and controlling the processes needed to meet information security requirements

  • Monitoring and reviewing the operation of the ISMS

  • Maintaining and improving the ISMS

Your ISO 27001 certification process made simple.

Get ISO 27001 certified in as little as 3 months.

Download your free guide now 
DG Seal ISO 27001

What are the requirements of clause 8.1 of the standard?

The requirements of clause 8.1 are as follows:

  • The organisation shall plan, implement, and control the processes needed to meet information security requirements.

  • The organisation shall establish criteria for the processes.

  • The organisation shall implement controls of the processes in accordance with the criteria.

  • Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.

  • The organisation shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects as necessary.

Get ready for the ISO 27001:2022 audit with up to 75% less workload.

100% first-try pass rate in external audits on ISO 27001 

Book a demo
DG Seal ISO 27001

Clause 8.1 on ISO 27001:2013 vs. ISO 27001:2022

Clause 8.1 of ISO 27001:2013 and ISO 27001:2022 are both on operational planning and control. However, there are some key differences between the two clauses.

In ISO 27001:2013, the clause is simply called "Operational control". In ISO 27001:2022, the clause is called "Operational planning and control". This change reflects the fact that the clause is not just about controlling processes but also about planning and implementing them.

Another key difference is that ISO 27001:2022 requires organisations to establish criteria for the processes. This means that organisations need to define what success looks like for each process and how they will measure it. ISO 27001:2013 did not have this requirement.

ISO 27001:2022 also requires organisations to implement controls of the processes in accordance with the criteria. This means that organisations need to put in place measures to ensure that the processes are effective in meeting their objectives. ISO 27001:2013 only required organisations to implement controls.

Finally, ISO 27001:2022 requires documented information to be available to the extent necessary to have confidence that the processes have been carried out as planned. This means that organisations need to keep records of their processes and the results of their activities. ISO 27001:2013 did not have this requirement.

Overall, the changes to clause 8.1 in ISO 27001:2022 are designed to make it more comprehensive and to provide organisations with more guidance on how to implement effective operational planning and control.

Here is a table summarising the key differences between clause 8.1 in ISO 27001:2013 and ISO 27001:2022:

Requirements ISO 27001:2013  ISO 27001:2022 
Clause name Operational control Operational planning and control
Requirements to establish criteria for processes No Yes
Requirements to implement controls of the processes in accordance with the criteria No Yes
Requirements for documented information No Yes

 

Conclusion 

Clause 8.1 of ISO 27001 is an important requirement for organisations that want to implement an effective ISMS. By following the requirements of this clause, organisations can reduce the likelihood and impact of security incidents and protect their information assets.

infosec-as-a-service

External Content: YouTube Video

In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis.

You can find more information about the handling of your personal data in our privacy policy.

Save Money with ISO 27001

up to 50%

Cheaper than external consultants

Opt-in

up to 300%

Increase your opt-in rate with Consent & Preference Management

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate

100%

First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

Saves up to 100 hours

of manual work to get ISO 27001 certified or TISAX® labels

ISO 27001 Certification creates trust

Customers trust us

Get in touch

P I C

p

PRIVACY

External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts

i

INFOSEC

Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit

c

COMPLIANCE

Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses
Templates

ISO 27001:2022 requirements

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the ISMS

4.4 Information security management system (ISMS)

5.1 Leadership and commitment

5.2 Information security policy

5.3 Organisational roles, responsibilities and authorities

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

10.1 Nonconformity and corrective action

10.2 Continual improvement

 

ISO 27001 Annex A

 

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.