graphgrc

ISO 27001 - 8 - Operation

8.1

Operational planning and control

The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by establishing criteria for the processes and implementing control of the processes in accordance with the criteria. Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that outsourced processes are determined and controlled.

Mapped SCF controls

• CPL-02 - Cybersecurity & Data Protection Controls Oversight
• CPL-03 - Cybersecurity & Data Protection Assessments
• GOV-01 - Cybersecurity & Data Protection Governance Program
• OPS-01 - Operations Security
• OPS-01.1 - Standardized Operating Procedures (SOP)
• OPS-03 - Service Delivery (Business Process Support)

8.2

Information security risk assessment

The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). The organization shall retain documented information of the results of the information security risk assessments.

Mapped SCF controls

• RSK-01 - Risk Management Program
• RSK-04 - Risk Assessment

8.3

Information security risk treatment

The organization shall implement the information security risk treatment plan. The organization shall retain documented information of the results of the information security risk treatment.

Mapped SCF controls

• RSK-06 - Risk Remediation
• RSK-06.1 - Risk Response

This site is open source. Improve this page.