Operational planning and control
Plain English Translation
Clause 8.1 is the 'execution' phase of ISO 27001. After planning your risks and objectives in Clause 6, this section requires you to actually do the work. You must establish criteria for your security processes (defining what 'secure' looks like), implement controls to meet those criteria, and keep evidence (documents/logs) to prove the processes are working. It also explicitly requires you to manage changes to these processes and ensure that any outsourced work (vendors) is controlled just as strictly as internal work.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Define basic Standard Operating Procedures (SOPs) for onboarding and access requests
- Use a ticketing system (e.g., Jira) to track changes to production systems
- Maintain a list of critical vendors and their security contacts
Required Actions (scaleup)
- Implement a formal Change Advisory Board (CAB) for high-risk changes
- Define operational acceptance criteria for new systems (e.g., 'must pass vuln scan')
- Conduct annual security reviews of all outsourced data processors
Required Actions (enterprise)
- Automate control monitoring with GRC tools linked to CI/CD pipelines
- Integrate third-party risk management into procurement workflows
- Establish continuous monitoring of operational metrics against defined SLAs
It is the clause that mandates the execution of the ISMS. It requires the organization to plan, implement, and control the processes needed to meet security requirements and address the risks identified in the planning phase (Clause 6).
The requirements are to establish criteria for processes, implement controls according to those criteria, keep documented evidence of implementation, control planned changes, review unintended changes, and ensure outsourced processes are controlled. WatchDog Security's Compliance Center can help teams define those criteria per control, track evidence collection, and surface gaps before an audit.
You implement it by creating Standard Operating Procedures (SOPs), defining success criteria (e.g., 'all operational changes must be approved'), and retaining records (e.g., logs, tickets) that prove the process was followed.
Clause 6 is 'Planning' (identifying risks, setting objectives, and deciding what to do). Clause 8 is 'Operation' (actually doing the work, implementing the controls, and running the processes defined in the plan).
Any process relevant to information security must be controlled, including risk treatment implementation, change management, incident response, and processes provided by third-party suppliers.
Change is managed by ensuring it is 'planned' rather than ad-hoc. This involves assessing the impact of a change before it happens, obtaining approval, and reviewing the outcome to prevent adverse effects on security.
The purpose is to bridge the gap between high-level policy and daily activity, ensuring that security controls are integrated into the organization's actual business workflows and project management.
Outsourced processes are controlled by establishing security requirements in contracts (SLAs), conducting vendor security reviews, and monitoring the vendor's performance to ensure they meet the organization's standards. WatchDog Security's Vendor Risk Management can help maintain a vendor catalog, run standardized assessments, and track review outcomes and remediation items over time.
Clause 8.1 often breaks down in practice when process criteria, evidence, and change controls are scattered across tickets, docs, and point tools. WatchDog Security's Compliance Center helps centralize operational criteria (what must be true before/after a change), map them to controls, and continuously flag gaps when required evidence or process steps are missing during execution.
Teams usually lose time during audits because evidence is incomplete, inconsistent, or not tied back to the operational criteria that defines 'done.' WatchDog Security's Compliance Center supports automated evidence collection and control-to-evidence mapping, so routine artifacts like change tickets, approvals, and operational logs can be linked to Clause 8.1 controls with clear ownership and review cadence.
"The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by: establishing criteria for the processes; implementing control of the processes in accordance with the criteria... The organization shall control planned changes and review the consequences of unintended changes... The organization shall ensure that externally provided processes, products or services that are relevant to the ISMS are controlled."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2025-05-27 | WatchDog Security GRC Team | Initial publication |
