ISO 27001 Clause 8.1: Operational planning and control

ISO 27001 made easy: A comprehensive guide to understanding the standard

ISO 27001 Framework

ISO 27001 stands as a globally recognized standard that outlines what you need to do to protect your valuable information. It's like a playbook of guidelines designed to safeguard your organisation's critical data.

Clause 8 of ISO 27001 concerns the operation of the information security management system (ISMS). It includes requirements for planning, implementing, and controlling the processes that are used to manage information security.

Within Clause 8, you'll come across 8.1, which deals with operational planning and control. This part of the standard requires organisations to carefully plan, put their plans into action, and oversee processes to meet information security requirements.


What is the purpose of clause 8.1 operational planning and control?

The purpose of clause 8.1 is to ensure that the organisation has a systematic approach to managing its information security risks. By planning, implementing, and controlling the processes that are used to manage information security, you can reduce the likelihood and impact of security incidents.


What is clause 8 of ISO 27001 concerned with?

Clause 8 of ISO 27001 is concerned with the following:

  • Planning, implementing, and controlling the processes needed to meet information security requirements
  • Monitoring and reviewing the operation of the ISMS
  • Maintaining and improving the ISMS

What are the requirements of clause 8.1 of the standard?

The requirements of clause 8.1 are as follows:

  • The organisation shall plan, implement, and control the processes needed to meet information security requirements.
  • The organisation shall establish criteria for the processes.
  • The organisation shall implement controls of the processes in accordance with the criteria.
  • Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.
  • The organisation shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects as necessary.
PILLAR_DE_ISO27001_Popup_image cta_COM

Get ISO 27001 certified in as little as 3 months.

Reduce manual work by up to 75%

Clause 8.1 on ISO 27001:2013 vs. ISO 27001:2022

Clause 8.1 of ISO 27001:2013 and ISO 27001:2022 are both on operational planning and control. However, there are some key differences between the two clauses.

In ISO 27001:2013, the clause is simply called "Operational control". In ISO 27001:2022, the clause is called "Operational planning and control". This change reflects the fact that the clause is not just about controlling processes, but also about planning and implementing them.

Another key difference is that ISO 27001:2022 requires organisations to establish criteria for the processes. This means that organisations need to define what success looks like for each process and how they will measure it. ISO 27001:2013 did not have this requirement.

ISO 27001:2022 also requires organisations to implement controls of the processes in accordance with the criteria. This means that organisations need to put in place measures to ensure that the processes are effective in meeting their objectives. ISO 27001:2013 only required organisations to implement controls.

Finally, ISO 27001:2022 requires documented information to be available to the extent necessary to have confidence that the processes have been carried out as planned. This means that organisations need to keep records of their processes and the results of their activities. ISO 27001:2013 did not have this requirement.

Overall, the changes to clause 8.1 in ISO 27001:2022 are designed to make it more comprehensive and to provide organisations with more guidance on how to implement effective operational planning and control.

Here is a table summarising the key differences between clause 8.1 in ISO 27001:2013 and ISO 27001:2022:

Requirements ISO 27001:2013 ISO 27001:2022
Clause name Operational control Operational planning and control
Requirements to establish criteria for processes No Yes
Requirements to implement controls of the processes in accordance with the criteria No Yes
Requirements for documented information No Yes

Conclusion

Clause 8.1 of ISO 27001 is an important requirement for organisations that want to implement an effective ISMS. By following the requirements of this clause, organisations can reduce the likelihood and impact of security incidents and protect their information assets.

infosec-as-a-service

External Content: YouTube Video

In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis.

You can find more information about the handling of your personal data in our privacy policy.

🏢 Organization Schema Preview (Development Only)
{
  "@context": "https://schema.org",
  "@graph": [
    {
      "@type": "Organization",
      "@id": "www.dataguard.com#organization",
      "name": "DataGuard",
      "legalName": "DataCo GmbH",
      "description": "DataGuard, the European leader in security and compliance software, is trusted by more than 4,000 organizations across 50+ countries. We help you identify and manage your security and compliance risks and fast-track your certifications and compliance by combining expert consultancy with AI-powered automation. Our purpose-built, all-in-one platform is developed with the experience of over 1.5 million total hours by a team of certified security and compliance experts.",
      "foundingDate": "2018",
      "taxID": "DE315880213",
      "logo": "https://7759810.fs1.hubspotusercontent-na1.net/hubfs/7759810/DataGuardLogo.svg",
      "url": "www.dataguard.com",
      "email": "info@dataguard.de",
      "telephone": "+49 89 452459 900",
      "address": {
        "@type": "PostalAddress",
        "streetAddress": "Sandstrasse 33",
        "addressLocality": "Munich",
        "addressRegion": "Bavaria",
        "postalCode": "80335",
        "addressCountry": "Germany"
      },
      "sameAs": [
        "https://www.linkedin.com/company/dataguard1/",
        "https://www.youtube.com/channel/UCEQzPZ6sCBCj9cAoBvaLL6w",
        "https://x.com/i/flow/login?redirect_after_login=%2FDataGuard_dg"
      ]
    }
  ]
}

✅ Organization schema markup for "DataGuard" has been injected into the document head.