Clause 8: Operation

Overview

Clause 8 is where planning meets execution. While Clause 6 defines what you plan to do, Clause 8 requires you to actually implement those plans — carrying out risk assessments, applying risk treatments, and ensuring day-to-day operations align with your ISMS objectives. This is the “do” phase of the Plan-Do-Check-Act cycle.

8.1 Operational Planning and Control

The organisation must plan, implement, and control the processes needed to meet information security requirements and to implement the actions determined in Clause 6. This includes:

• Establishing criteria for the processes — defining what “done well” looks like for each operational process.
• Implementing control of the processes — ensuring processes are carried out in accordance with the criteria.
• Managing planned changes — assessing the consequences of planned changes and taking action to mitigate any adverse effects. This includes changes to IT systems, organisational structure, or third-party services.
• Controlling outsourced processes — if any ISMS processes are outsourced, they must still be controlled and documented.

Documented information must be retained to the extent necessary to have confidence that the processes have been carried out as planned.

8.2 Information Security Risk Assessment

You must perform information security risk assessments at planned intervals or when significant changes are proposed or occur. The risk assessment must follow the process defined in Clause 6.1.2. This is not a one-off exercise — risk assessments should be repeated regularly (typically annually at minimum) and triggered by material changes such as:

• Major system changes or new system deployments.
• Organisational restructuring or mergers.
• Changes to the regulatory environment.
• Significant security incidents that reveal new risks.
• Results from internal or external audits.

8.3 Information Security Risk Treatment

You must implement the information security risk treatment plan defined in Clause 6.1.3. This means putting the selected controls into practice, assigning owners, setting implementation timelines, and tracking progress. The results of the risk treatment must be retained as documented information.

Effective risk treatment requires ongoing monitoring. A control that was effective last year may no longer be adequate if the threat landscape has changed. Regular review ensures your treatments remain proportionate and effective.

How Standardise Helps

• Risk Register — every risk includes treatment status tracking (open, in progress, treated, accepted), an assigned owner, and treatment description. The heat map visualises your current risk profile for management reporting.
• Treatment plan documentation — the Risk Treatment Plan template provides a formal record of how each risk will be addressed, directly satisfying the documented information requirement of 8.3.
• Asset Register — track information assets, their owners, and classifications. Asset changes can trigger risk reassessment, supporting the change management requirements of 8.1.
• Audit trail — all operational actions within Standardise are logged, providing confidence that processes are being carried out as planned.