Clause 8 Operation

Clause 8 Operation

Version: 3.0

Valid until: 2025-04-12

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-05-20

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Constructed Clause 8 Operation based on Clause 6 Planning and  B04 Risk Management. 

2022-12-23

2.0Edward RobinsonAdditions/changes as part of the annual review.

No changes have been made.
2023-05-15
3.0
Edward Robinson
Additions/changes as part of the annual review.

Fixed broken link for Clause 6 and added link to Clause 10.

Fixed broken links for ISMB-related documentation.

Added link to Risk-Control matrix and security impact assessments.

Purpose & background


anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.


The purpose of this document is to describe operational planning and control, and that risk assessments are regularly performed and risk treatment is documented.


This document will be updated at least annually and when significant change happens.

Objective


The objective of this control is:


  • The organisation shall plan, implement and control the processes needed to meet information security requirements (8.1).

  • To ensure that risk assessments are performed at planned intervals (8.2).

  • To ensure that risk treatment is implemented (8.3). 

Scope

The scope of this document is according to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

8.1 Operational planning and control

“The organisation shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organisation shall also implement plans to achieve information security objectives determined in 6.2.

The organisation shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned.

The organisation shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.

The organisation shall ensure that outsourced processes are determined and controlled.”


anDREa safeguards the planning, implementing and control of processes needed to meet information security requirements in the PDSA cycle on the ISMS in accordance with Clause 6 Planning and Clause 10 Improvement. Moreover, anDREa shall keep documented information on these processes in the ticketing system and on the Azure DevOps sprintboard as Product Backlog Items (PBIs). 

anDREa will control planned changes in accordance with A.12.1.2 Change management and will review the consequences of unintended changes and register mitigating actions in the ticketing system.

Finally, anDREa will ensure that outsourced processes are determined and controlled through the supplier agreements in accordance with A.15 Supplier relationships.

8.2 Information security risk assessment

“The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).

The organisation shall retain documented information of the results of the information security risk assessments.”


anDREa performs risk and security impact assessments at planned intervals or when significant changes occur in accordance with Clause 6 Planning. The Security Officer maintains the Risk-Control matrix.

8.3 Information security risk treatment

“The organisation shall implement the information security risk treatment plan.

The organisation shall retain documented information of the results of the information security risk treatment.”


anDREa has established an Information Security Management Board (ISMB) who convenes monthly to discuss information security topics (ISMB meeting notes), perform checks, plan tasks and actions to maintain the ISMS including risk treatment plans (ISMB Action list) in accordance with Clause 6 Planning

Administrations


    • Related Articles

    • Clause 5 Leadership

      Version: 3.0 Valid until: 2025-03-14 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • Clause 7 Support

      Version: 3.0 Valid until: 2025-03-11 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • Clause 4 Context of the organisation

      Version: 3.0 Valid until: 2025-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-23 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • Clause 10 Improvement

      Version: 3.0 Valid until: 2025-03-11 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • Clause 6 Planning

      Version: 3.0 Valid until: 2025-04-16 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...