Introducing ISO 27001 Clause 8: Operation
ISO 27001 Clause 8 is where all your planning (Clause 6) is implemented under controlled conditions.
By the time you address Clause 8, you should have completed your risk assessment, established your treatment plan (from Clause 6), and prepared your resources and processes (Clause 7).
Clause 8 essentially says: do what you planned to do about risks, and do it in a managed way.
Read on below to learn what it means and how to implement it.
Explore Each ISO Clause in More Detail by Selecting One to View
Table of Contents
Clause 8.1 – Operational Planning and Control
This clause is a broad requirement ensuring that you implement and control the processes needed to meet information security requirements and to implement the actions determined in Clause 6.
In simpler terms: for all the plans and controls you decided on, carry them out and manage them. You should also keep appropriate evidence (documented information) that processes have been carried out as planned.
Some key aspects:
- You might have certain operational procedures that need to be followed (e.g., a procedure for user account provisioning or for backup and restore). Clause 8.1 implies that you should operate consistently according to those procedures.
- If you outsource any processes or have external parties involved, ensure controls extend to them and are coordinated (for example, if using a third-party data center, you have arrangements to manage that security).
- Essentially, Clause 8.1 is an umbrella reminder: don’t just have paperwork (policies, risk plans) – actually put them into practice. If any changes occur during operation, do them in a controlled manner (which ties with Clause 6.3 planning changes).
In an audit, Clause 8.1 evidence often comes from showing that things like backup processes, access reviews, incident response, etc., are happening as per your ISMS procedures.
If your risk treatment plan said “implement encryption control by March”, Clause 8.1 would be showing by March you did implement encryption.
Clause 8.2 – Information Security Risk Assessment (Operational)
ISO 27001 Clause 8.2 requires the organisation to perform information security risk assessments at planned intervals or when significant changes occur and maintain documented information of the results. This effectively ensures that risk management is continuous, not one-time.
What this means:
- You should define how often you’ll formally reassess risks. Many choose an annual risk assessment as a planned interval. If the environment is very dynamic, some might do it more frequently (semi-annually).
- Also, if a big change happens (like launching a new product, an acquisition, a major incident, or new law), you shouldn’t wait for the periodic cycle – you do a targeted risk assessment for that change.
- You need to keep records of these ongoing risk assessments. So, if in 2024 you did an initial risk assessment, by 2025 maybe you do another; keep both results and note updates (maybe update the risk register with new risks or changed risk levels).
- Essentially, Clause 8.2 connects back to Clause 6.1. It ensures risk assessment isn’t a static document but a living process.
Auditors will expect to see that you have done at least one full cycle of risk assessment by the time of audit (initial one in Clause 6, which might count, but if time passed, maybe an update). In surveillance years, they’ll expect an annual risk review record.
Clause 8.3 – Information Security Risk Treatment (Operational)
Clause 8.3 similarly requires the organisation to implement the risk treatment plan from Clause 6.1.3 and retain documented information about those results. In practice:
- It asks you to carry out the treatments (i.e., implement the controls) that you planned and do so continuously.
- If any new risks were identified (from 8.2’s re-assessment or changes), treat those as well (update treatment plans, SoA, etc., accordingly).
- Keep records of the treatments that were done. For example, if one treatment was “update firewall rules”, a change log or screenshot can show it was done. If it was “conduct training”, have the attendance record (that’s also Clause 7 evidence).
- By the audit, you should have an up-to-date risk treatment status – basically your risk register should be updated with current status (e.g., this risk is now mitigated by control X implemented on date Y).
Clause 8.2 and 8.3 effectively ensure the risk management loop stays active: you regularly check risks and update controls accordingly.
It’s worth noting that many of the day-to-day ISMS activities will be driven by the controls you chose. For example, Annex A controls (like antivirus management, logging, access control reviews, incident management, etc.) become part of your Clause 8 “operations”.
The auditor in Clause 8 might reference some of those: e.g., if you said in SoA that you do access reviews (Annex A control), then under Clause 8 they’ll want to see you did an access review recently.
So Clause 8 is tied very closely to Annex A verification.
Documentation and Outputs for ISO 27001 Clause 8
Operational Procedures and Records
If you have any specific procedures (SOPs) for ISMS operations (like how to do user access provisioning, handle incidents, and do backup), those should be followed and records kept. Many of these align with Annex A controls, but from Clause 8’s perspective, say you have a backup procedure.
Clause 8’s output would be actual backup logs or reports showing that backups occur per schedule.
Risk Assessment Updates (8.2)
Document when you perform periodic risk reviews. Update the risk register with any changes (maybe in a different color or with a new column for re-evaluation). Keep minutes of risk review meetings if applicable. A quick summary report annually, like “Reviewed risk register, added 2 new risks, updated 5 risk scores due to changes” is useful.
Risk Treatment Updates (8.3)
Update the risk treatment plan and SoA as needed.
If new controls are added or some are removed, create a new version of the SoA.
Keep evidence of implementation: for each control implemented, there might be evidence (screenshots of tool configurations, policy documents, etc.). You should have it available even if you don’t get asked for it in the audit.
Operational Records
Numerous records show you’re operating the ISMS.
Examples:
- Access control review records (maybe quarterly user access reviews).
- Internal meeting minutes for ISMS operational meetings (if you have a monthly security meeting, those minutes show you are actively running the ISMS).
- Maintenance records for systems (patch logs, etc., if relevant to security).
- Monitoring logs and results (like if you monitor network for intrusions, logs of that).
- Incident logs (showing you are recording and handling incidents, which is an operational activity).
Not all of these are mandatory, but they naturally result from implementing controls. The key is that you have evidence that “the wheels are turning”.
- Third-party agreements: If part of your operations includes outsourced work, ensure you have contracts or SLAs that cover security (this can be evidence that you addressed those operational needs).
- Change logs: If you made changes (Clause 6.3 ties in), any change request forms or approval records show you handled them properly.
What Auditors Look For in Clause 8
Auditors will want to see that you did what you said you would do. This often overlaps with Annex A control verification, but it focuses on Clause 8 itself.
Essentially, Clause 8 audit is not a single checklist item, it’s the culmination of all previous clauses being put into action. If Clause 8 is weak, it means you have a “paper ISMS” but not a working one. Auditors will usually spend a lot of time on actual practices (which is Clause 8 territory).
Execution of Risk Treatment
Auditor will pick some risks from your risk treatment plan and ask for evidence that treatments have been implemented. For example, if risk was “data center loss of power” and treatment was “install UPS and test it quarterly,” they might ask if the UPS is in place and see a test record.
Current Risk Status
They will ensure your risk register and SoA are up-to-date at the time of audit. If you did risk assessment 10 months ago and since then added a new system but didn’t update your register, they’ll catch that during interviews (e.g., you mention a new system, they cross-check it’s not in risk docs). That could be a nonconformity for not updating risk assessment (Clause 8.2).
Operational Logs
Some examples of things auditors like to see and ask might be;
Incident Management Records
Auditors often look at security operations like incidents, and ask “Have you had security incidents? Show me how they were recorded and handled.” They expect an incident log and some incident reports if applicable (Annex A also covers this, but Clause 8 expects you actually operate an incident process).
Backup and restore tests
“Show me evidence that you perform backups and have tested restores” is a common question if that was in your SoA (common control).
Access reviews
You’ll likely need to demonstrate when user access rights were reviewed, so the auditor may ask, “When was the last user access review for critical systems? Please show results.”
System updates
“How do you ensure systems are updated/patched? Is there a schedule? Show me an example (like latest Windows patch report).“
These tie to controls (Annex A), but by checking them, the auditor validates Clause 8 (the doing) is effective.
Internal audits and management reviews in practice
Though those are Clause 9, they are part of operations of ISMS too. They will be checked in Clause 9 specifically, but the auditor might reference in Clause 8 context that you have an “operational schedule for audits and reviews and you followed it.”
Ongoing compliance
If you have any regulatory requirements, they may see if you are operationally checking those (e.g., if GDPR applies, are you doing what’s needed operationally, like handling data subject requests, etc. – partially Annex A control A.5.30, etc., but integrated in ops).
Effectiveness of controls
Clause 8 implicitly is about effective operation. Auditors might find evidence from performance (Clause 9) like metrics and see if operations are achieving desired results.
E.g. If you had a control to reduce malware incidents but still have frequent incidents, they might question if the control is fully implemented or needs adjustment.
Example
Imagine your SoA says “We implement control A.12.6.1 – Anti-malware controls.”
In the audit, the auditor asks, “What anti-malware solution do you use and how do you monitor it?” You show them your endpoint antivirus console, which logs viruses found. The auditor sees a report of last month’s detections and how they were resolved.
This demonstrates operational control of malware (Clause 8 executed).
Another example: Your risk treatment included training employees on security. The auditor already saw training records (Clause 7), but might ask an employee, “Do you know how to report a security incident?”
The employee says, “Yes, we have an email address or we call IT.” That shows the incident reporting process (part of operations) is communicated and presumably functional – someone did report an incident last quarter and IT has that record.
All these little verifications build confidence that Clause 8 – the day-to-day ISMS – is active and effective.
Explore Each ISO Clause in More Detail by Selecting One to View
ISO 27001 Clause 8: Operation FAQs
What’s the difference between risk in Clause 6 and Clause 8 in ISO 27001?
Clause 6 is about planning – identifying risks, defining objectives, and deciding actions. Clause 8 is about doing – implementing the risk treatments, controls, and operational processes that were planned. You could think of Clause 6 as creating the map, and Clause 8 as the journey itself.
Do I need to keep evidence for every control I implement?
Yes, ISO 27001 expects you to retain documented information to demonstrate that planned actions were carried out. This doesn’t mean excessive paperwork, but you should be able to show that each control in your treatment plan or SoA is either implemented or actively being worked on – with evidence like logs, screenshots, change records, or meeting notes.
How often should I update the risk register under Clause 8.2?
The standard does not have a fixed interval, but most organisations perform a formal risk assessment annually, with additional updates whenever significant changes occur (e.g., new systems, major incidents, or regulatory updates). The key is that your risk register is current and reflects your actual environment.
What happens if a planned control isn’t implemented on time?
It depends on the context. You should document the delay and explain why it occurred and whether any temporary mitigation is in place. Auditors may flag this if the risk is high and the control is critical unless you show it’s being actively managed. Regularly updating the risk treatment plan helps demonstrate oversight and control.
How do Clause 8 activities tie in with Annex A controls?
Annex A controls represent what you might choose to implement to address risks. Clause 8 is about ensuring you actually implement them in practice. So if your SoA says “Control A.12.6.1 – anti-malware – is implemented,” Clause 8 evidence would show that the system is running, monitored, and maintained as per your ISMS procedures.
Further Reading
Get the ISO 27001:2022 standard
