ATOL Articles

ISO 27001 Clause 8: Where the Plans Come to Life

Written by Jackie Stapleton | 2 September 2025 2:40:15 AM

If Clause 6 is where you plan your information security approach, Clause 8 is where you roll up your sleeves and actually do the work.

This is the “operation” stage of your ISMS — the bit that takes everything you mapped out earlier and turns it into real-world actions, records, and results. And while Clause 8 Operation looks short on paper, there’s a lot happening under the hood.

Clause 8 in a Nutshell

Clause 8 has three subclauses:

  1. 8.1 Operational planning and control – Making sure processes are carried out as planned, and the right documentation exists to prove it.
  2. 8.2 Information security risk assessment – Doing the risk assessments you planned in Clause 6.
  3. 8.3 Information security risk treatment – Applying the controls (often from Annex A) to treat those risks.

If Clause 6 is the recipe, Clause 8 is cooking the meal.

8.1 Operational Planning and Control — Setting the Stage

8.1 is about making your Clause 6 plans real. If you’ve properly done:

  • 6.1 Actions to address risks and opportunities
  • 6.1.2 Risk assessment
  • 6.1.3 Risk treatment
  • 7.5 Documented information

…then you’re most of the way there.

Here you’ll also see requirements to:

  • Establish criteria for your processes (what “good” looks like)
  • Control planned changes
  • Review consequences of unintended changes
  • Consider externally provided processes, products, and services (hello, third parties!)

Why this matters: Making ad hoc, unplanned changes without risk checks is a quick way to create security gaps. Controlled change management ensures you spot new risks before they become incidents.

8.2 Information Security Risk Assessment — The Living List

If Clause 6 was about designing your risk assessment process, Clause 8.2 is about actually doing it.

You’ll need to conduct assessments:

  • At planned intervals (many organisations choose quarterly or annually)
  • When significant change occurs
  • When incidents or emerging threats are identified

Hypothetical example: A major vulnerability hits the news, and your hosting provider uses the affected software. Even if you just did your quarterly review last week, you should revisit your risk register now.

Your documented output? A risk register — often an Excel sheet or system record — showing each risk, owner, rating, impact on confidentiality/integrity/availability, and its status.

8.3 Information Security Risk Treatment — Putting Controls in Place

This is where you apply the controls you identified in planning. Most will come from Annex A’s 93 controls, but the standard isn’t restrictive — you can add others if needed.

Each risk above your appetite should have a risk treatment plan showing:

  • The controls you’ll use
  • How and when they’ll be implemented
  • Who’s responsible
  • The current status

Pro Tip: Controls don’t have to be perfect straight away — but they do need to be realistic, relevant, and clearly documented.

The Third-Party Factor

Third parties can be one of the hardest areas to get right. Why?

  • You can’t directly control their systems.
  • Each provider may have different risks, requirements, and locations.

That’s why ISO 27001:2022 has stronger supplier-related requirements than the 2013 version — to keep pace with modern supply chain risks. Annex A sections 5.19 to 5.23 cover supplier agreements, services, and even cloud considerations.

If your scope includes third-party dependencies, make sure your risk assessment and treatment plans cover them in detail.

Why Clause 8 Matters

This is where your ISMS earns its keep. Without Clause 8, all your planning stays stuck on paper.

Done well, Clause 8 will:

  • Keep your risk profile current and relevant
  • Ensure controls are applied and working
  • Provide the evidence auditors (and insurers) love to see
  • Help you adapt quickly when changes or threats appear

Your Quick-Start Checklist for Clause 8

✅ Make sure Clause 6 plans are complete and documented
✅ Set clear process criteria and control changes
✅ Keep your risk register alive and up-to-date
✅ Apply and track your treatment controls — don’t just “set and forget”
✅ Include third-party risks where relevant


 
View full post