Clause 8.1 of ISO 27001 underlines the importance of rigorous planning and control of information security operations within an organization.

In concrete terms, in clause 6 we defined our objectives, now we have to bring them to life.

Planning – Photo by Patrick Perkins on Unsplash

Like the foundations of a house, clause 8.1 is the foundation on which the entire structure of an ISMS rests. This essential section of the standard shapes the actions to be taken to plan, implement, monitor, **evaluate **and improve information security. It is the heart of our data protection strategy.

The importance of this clause lies in its ability to transform strategic intentions into concrete, measurable actions, thus ensuring that identified risks are effectively managed and safety objectives achieved.

Above all, this clause helps to ensure that the security program complies with the information security objectives defined in the ISMS.

It emphasizes the establishment of criteria for processes, the control of these processes and the need to document information to prove that processes have been carried out as planned.

Let’s take it apart

**Plan –**We’ve defined what we want to achieve as a goal, but we need to have a serious and comprehensive game plan to reach that goal. For example, if we lack experience, how are we going to get it?

**Implement –**is it possible to operationalize the plan, put it to work and see it evolve in our organization?

Control– have we defined checkpoints for items in our game plan, e.g. getting approval to go into production must include a rapid rollback plan. So, do we have that rollback plan?

Evaluate– not in competition with clause 9.1 of the standard, but can we evaluate the plan and its implementation?

Improve– finally, in relation to clause 10.1, following the evaluation of the plan, does the organization adjust or take action?

Example of non-conformity

Sometimes, to understand a clause in a standard, you have to attack it in reverse, and that’s what’s happening here with this pivot clause.

Since it links several items, it is sometimes difficult to see its specificity. Here are a few examples of non-compliance encountered in my practice:

  1. Lack of adequate documentation: The organization does not document its processes, information security controls and operating procedures.
  2. Inconsistent implementation of controls: The organization has not implemented its controls consistently, or their implementation is not in line with identified risks and established planning.
  3. Lack of evidence of operational control: Not having evidence or records to demonstrate that information security processes and controls are effectively monitored, measured and controlled.
  4. Lack of integration into business processes: Information security is not integrated into the organization’s operational processes, and is treated as a separate or additional element.
  5. Inadequate change management: If changes in processes, systems, or technologies are not properly managed in terms of their impact on information security, because changes must be assessed, documented and controlled to maintain security.
  6. Lack of responsiveness to monitoring results: The organization does not take corrective action in response to monitoring results and operational control reviews such that the organization does not react to deficiencies detected.
  7. Insufficient assessment of effectiveness: Not evaluating the effectiveness of information security actions and controls. For example, not checking that our antivirus really works, or that our backups are always functional.

Clause 8.1 is essential, as it ensures that information security plans and controls are not only strategically designed (clause 6), but also integrated and effectively operationalized within the organization’s day-to-day processes.

In addition, it prepares the ground for Clause 9 by putting in place the processes and controls that will be assessed for their effectiveness, enabling continuous improvement based on concrete data.

Success criteria

In order to determine whether we have complied with clause 8.1 of ISO27001, here are a few questions an auditor might ask:

  1. Does the organization have plans for achieving its information security objectives?
  2. Is there sufficient documentation to ensure that processes have been followed as planned?
  3. Does the change process include the consequences of unforeseen changes and measures to limit negative effects?
  4. Are ISMS-related suppliers clearly defined and monitored?

I invite you to click on “Follow” to continue learning more about the field of information security.