Information security risk

ISO 27001 Clause 8.1, Clause 8.2, Clause 8.3 Operational planning & control

ISO 27001 Clause 8.1, Clause 8.2, Clause 8.3 Operational planning & control, This article will explain related all these things etc.

Required activity

The organization plans, implements and controls the processes to satisfy its information security requirements and to realize its information security objectives. The organization keeps documented information as necessary to possess confidence that processes are administered as planned. The organization controls planned changes and reviews the results of unintended changes, and ensures that outsourced processes are identified, defined and controlled.

Related Products:– ISO 27001 Lead Auditor Training & Certification

Implementation Guideline

The processes that a corporation uses to satisfy its information security requirements are planned, and once implemented, they’re controlled, particularly when changes are required. Building on the design of the ISMS, the organization performs the required operational planning and activities to implement the processes needed to fulfil the knowledge security requirements.

Processes to satisfy information security requirements include:

  1. ISMS processes (e.g. management review, internal audit);
  2. Processes required for implementing the knowledge security risk treatment plan.

Implementation of plans leads to operated and controlled processes.

The organization ultimately remains liable for planning and controlling any outsourced processes so as to realize its information security objectives. Thus, the organization needs to:

  1. Determine outsourced processes considering the knowledge security risks associated with the outsourcing;
  2. Make sure that outsourced processes are controlled (i.e. planned, monitored and reviewed) during a manner that gives assurance that they operate as intended (also considering information security objectives and therefore the information security risk treatment plan).

After the implementation is completed, the processes are managed, monitored and reviewed to make sure that they still fulfil the wants determined after understanding the requirements and expectations of interested parties. Changes of the ISMS operational are often either planned or they occur unintended. Whenever the organization makes changes to the ISMS (as a result of planning or unintentionally), it assesses the potential consequences of the changes to regulate any adverse effects.

The organization can get confidence about the effectiveness of the implementation of plans by documenting activities and using documented information as input to the performance evaluation processes laid out in Clause 9. The organization therefore establishes the specified documented information to stay.

The processes that are defined as a result of the design described in Clause 6 should be implemented, operated and verified throughout the organization. the subsequent should be considered and implemented:

  1. Processes that are specific for the management of data security (such as risk management, incident management, continuity management, internal audits, management reviews);
  2. Processes emanating from information security controls within the information security risk treatment plan;
  3. Reporting structures (contents, frequency, format, responsibilities, etc.) within the knowledge security area, for instance incident reports, reports on measuring the fulfillment of data security objectives, reports on performed activities;
  4. Meeting structures (frequency, participants, purpose and authorization) within the knowledge security area. Information security activities should be coordinated by representatives from different parts of the organization with relevant roles and job functions for effective management of the knowledge security area.

For planned changes, the organization should:

  1. Plan their implementation and assign tasks, responsibilities, deadlines and resources;
  2. Implement changes consistent with the plan;
  3. Monitor their implementation to verify that they’re implemented consistent with the plan;
  4. Collect and retain documented information on the execution of the changes as evidence that they need been administered as planned (e.g. with responsibilities, deadlines, effectiveness evaluations).

Also Read:–

For observed unintended changes, the organization should:

  1. Review their consequences;
  2. Determine whether any adverse effects have already occurred or can occur within the future;
  3. Plan and implement actions to mitigate any adverse effects as necessary;
  4. Collect and retain documented information on unintended changes and actions taken to mitigate adverse effects.

If a part of the organization’s functions or processes are outsourced to suppliers, the organization should:

  1. Determine all outsourcing relationships;
  2. Establish appropriate interfaces to the suppliers;
  3. Address information security related issues within the supplier agreements;
  4. Monitor and review the supplier services to make sure that they’re operated as intended and associated information security risks meet the risk acceptance criteria of the organization;
  5. Manage changes to the supplier services as necessary.

Clause 8.2 Information security risk assessment

Required activity

The organization performs information security risk assessments and retains documented information on their results.

Implementation Guideline

When performing information security risk assessments, the organization executes the method defined. These assessments are either executed consistent with a schedule defined beforehand, or in response to significant changes or information security incidents. The results of the knowledge security risk assessments are retained in documented information as evidence that the method in 6.1.2 has been performed as defined. Documented information from information security risk assessments is important for information security risk treatment and is effective for performance evaluation.

Organizations should have an idea for conducting scheduled information security risk assessments. When any significant changes of the ISMS (or its context) or information security incidents have occurred, the organization should determine:

  1. Which of those changes or incidents require a further information security risk assessment;
  2. How these assessments are triggered.

The level of detail of the risk identification should be refined step by step in further iterations of the knowledge security risk assessment within the context of the continual improvement of the ISMS. A broad information security risk assessment should be performed a minimum of once a year.

Clause 8.3 Information security risk treatment

Required activity

The organization implements the knowledge security risk treatment plan and retains documented information on the results of the knowledge security treatment.

Implementation Guideline

In order to treat information security risks, the organization must perform the knowledge security risk treatment process defined in 6.1.3. During operation of the ISMS, whenever the risk assessment is updated consistent with 8.2, the organization then applies the risk treatment consistent with 6.1.3 and updates the risk treatment plan. The updated risk treatment plan is again implemented. The results of the knowledge security risk treatment are retained in documented information as evidence that the method in 6.1.3 has been performed as defined.

The information security risk treatment process should be performed after each iteration of the knowledge security assessment process in 8.2 or when the implementation of the risk treatment plan or parts of it fails. The progress of implementation of the knowledge security risk treatment plan should be driven and monitored by this activity.

Questions related to this topic

  1. Explain ISO 27001 Clause 8.1, Clause 8.2, Clause 8.3 Operational planning & control?
  2. What is Operational planning & control?
  3. Explain ISO 27001 Clause 8.1 with Operational planning & control?
  4. Explain Clause 8.3 Operational planning & control?
  5. Explain Operational planning & control?

ISO 27001 Requirements

Clause 4.2 Understanding the needs and expectations of interested parties 
Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities 
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.1 Resources
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement  

ISO 27001 Annex A Controls

Annex A.5 Information Security Policies
Annex A.6 Organization of Information Security
Annex A.6.2 Mobile Devices and Teleworking
Annex A.7 Human Resource Security
Annex A.7.2 During Employment
Annex A.7.3 Termination and Change of Employment
Annex A.8 Asset Management
Annex A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets
Annex A.8.2 Information Classification
Annex A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
Annex A.8.3 Media Handling
Annex A.9 Access Control
Annex A.9.1.2 Access to Networks and Network Services
Annex A.9.2 User Access Management
Annex A.9.2.3 Management of Privileged Access Rights  
Annex A.9.2.4 Management of Secret Authentication Information of Users
Annex A.9.2.5 Review of User Access Rights 
Annex A.9.2.6 Removal or Adjustment of Access Rights
Annex A.9.3 User Responsibilities
Annex A.9.4 System and Application Access Control
Annex A.9.4.4 Use of Privileged Utility Programs 
Annex A.9.4.5 Access Control to Program Source Code
Annex A.10 Cryptography
Annex A.11 Physical and Environmental Security
Annex A.11.2 Equipment
Annex A.11.1.3 Securing Offices, Rooms and Facilities
Annex A.11.1.4 Protecting Against External and Environmental Threats
Annex A.11.1.5 Working in Secure Areas
Annex A.11.1.6 Delivery and Loading Areas
Annex A.11.2.4 Equipment Maintenance
Annex A.11.2.5 Removal of Assets
Annex A.11.2.6 Security of Kit and Assets Off-Premises
Annex A.11.2.7 Secure Disposal or Re-use of Equipment
Annex A.11.2.8 Unattended User Equipment
Annex A.11.2.9 Clear Desk and Clear Screen Policy
Annex A.12 Operations Security
Annex A.12.2 Protection from Malware
Annex A.12.3 Backup
Annex A.12.4 Logging and Monitoring
Annex A.12.5 Control of Operational Software
Annex A.12.6 Technical Vulnerability Management
Annex A.12.7 Information Systems Audit Considerations
Annex A.13 Communications Security
Annex A.13.2 Information Transfer
Annex A.13.2.3 Electronic Messaging
Annex A.13.2.4 Confidentiality or Non-Disclosure Agreements
Annex 14 System Acquisition, Development and Maintenance
Annex A.14.1.2 Securing Application Services on Public Networks
Annex A.14.1.3 Protecting Application Services Transactions
Annex A.14.2 Security in Development and Support Processes
Annex A.14.2.3 Technical Review of Applications after Operating Platform Changes
Annex A.14.2.4 Restrictions on Changes to Software Packages
Annex A.14.2.5 Secure System Engineering Principles
Annex A.14.2.6 Secure Development Environment
Annex A.14.2.7 Outsourced Development
Annex A.14.2.8 System Security Testing
Annex A.14.2.9 System Acceptance Testing
Annex A.14.3 Test data
Annex A.15 Supplier Relationships
Annex A.15.1.2 Addressing Security Within Supplier Agreements
Annex A.15.1.3 Information and Communication Technology Supply Chain
Annex A.15.2 Supplier Service Delivery Management
Annex A.16 Information Security Incident Management
Annex A.16.1.2 Reporting Information Security Events
Annex A.16.1.3 Reporting Information Security Weaknesses
Annex A.16.1.4 Assessment of and Decision on Information Security Events
Annex A.16.1.5 Response to Information Security Incidents
Annex A.16.1.6 Learning from Information Security Incidents
Annex A.16.1.7 Collection of Evidence
Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.17.1.3 Verify, Review and Evaluate Information Security Continuity
Annex A.18 Compliance
Annex A.18.1.3 Protection of Records
Annex A.18.1.4 Privacy and Protection of Personally Identifiable Information
Annex A.18.1.5 Regulation of Cryptographic Controls
Annex 18.2 Information Security Reviews

About ISO 27002

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us –

Leave a Comment