ISO27001 and the Operation Clause
ISO27001 for information Security Managements Systems Clause 8 Operation is where the rubber starts to meet the road, this is the part of the standard that requires to you to do what you have so far said you will do. If you think about the structure of the standard and apply the Plan Do Check Act (or Adjust) approach that the standard takes then this is absolutely the Do part of the cycle. Till now you have been laying the groundwork for what you will do. Building plans, defining the how your system will operate, now it is time to put that into practice. Unlike some of the other standards Clause 8 for operation seems small, it has only got 3 sub clauses but there is some important work to do because of them.
Clause 8.1 Operational Planning & Control
In a nutshell it is time to do what you said you were going to do and importantly be able to prove that you are doing them. Remember that when it comes to certifying your systems there is a burden of proof on the organisation to be able to demonstrate they are taking the steps they need to in order to meet the standard. The only way to really do that is with maintaining records on what you do. So, for example, if you said you would have a monthly ISMS leadership meeting then you need to document that meeting and have the minutes and actions out of that meeting available. Which you will have since you keep minutes and people always leave your meetings with actions to do otherwise there was zero point in them being at your meeting. If you decided that audits were going to be a good thing to do then you should have audit reports and findings from them to be able to talk about and so on.
When it comes to your objectives you really do need to be measuring progress towards them and if you are making progress but also, importantly, if your objectives are delivering what you hoped they would. There is nothing wrong with reviewing these objectives and realising they are not doing what you had hoped and to change them for better ones.
That brings us nicely to the need to capture and manage changes in your ISMS system. The standard requires you to control changes, to plan them and to review the impacts and consequences of these changes. Both the intended consequences and of course the unintended ones! That again means that you need to document them, communicate them, in some cases risk assess the change to understand the impacts and also review the change after you have done it to again ensure it did what it was intended to do with no unintended outcomes.
The last part ISO27001 wants you to think about is again around control when it comes to your ISMS, specifically the control of any outsourced processes. Clearly you need to identify and make the decision you are outsourcing, as you do that you need to determine how you will control that outsourced process, how you will monitor it and ensure that it does what you planned it to do and how you will include it in any changes you make to your information security management system in the future.
Clause 8.2 Information Security Risk Assessment
Previously in clause 6.1.2 you were required to define and apply an information security risk assessment, now in ISO27001 clause 8.2 it is directing you to perform it. Moreover, it is directing you to perform it at both planned intervals and whenever there is a significant change to your ISMS. The definition of a significant change is not defined by the standard as it is absolutely going to vary between organisations, that means you need to define it in your processes. The standard makes it clear that it is important to document the findings from these risk assessments and be able to show any actions that you have taken as a result. For example, if you determine that your product designs are giving you a market edge you would want to control them tightly, your system passwords are probably something you want to keep secret, in each case you would risk assess them as say high risk areas and put in extra controls around them.Think about it as a three step process like this:
Clause 8.3 Information Security Risk Treatment
The final section of ISO27001 Clause 8 is where the standard directs you to implement security risk treatment plans. Those were the plans you determined back when you ticked off clause 6.1.3. These are the plans that you created to determine under what circumstances you would apply which type of risk treatment (found in Annex A of the ISO27001 standard). The expectation is that after each security risk assessment you review and implement the correct risk treatment. That means that you may carry out a review of your risk assessment for one area and then redefine what the risk treatment should be.
Again, the direction by ISO27001 is document this activity to provide evidence that it is happening. One of the best ways of doing this is to create a full risk register of all your information security management risks and the associated risk treatments. On a regular basis either review your full register or more likely, review each item on the register. For example, if you have identified 36 items on your Information Security Management Risk Register then it is reasonable to expect that you review at least 2 or 3 of these each month. Those listed as high priority items would be reviewed more often than those with low priority and so on.
Copyright
© Many Caps Consulting | All Rights Reserved
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.
By accepting you will be accessing a service provided by a third-party external to https://www.test.manycaps.com/
Comments