Operational Planning and Control

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
modules,
00:02
Close Aides Operation
00:09
Lesson 1.6.
00:11
Operational planning and Control.
00:17
In this video, we will cover the requirements of Clause 8.1.
00:22
We will take a look at the plan changes and the affected thieve these have on the ice. Miss.
00:28
We will also look at unplanned changes and these effects on the ice myths,
00:34
and we'll take a brief look at our toes functions.
00:41
So do you remember back when we spoke about Clause six planning and we define processes there?
00:48
These processes now need to be implemented, operated and verified.
00:53
Activities here are pretty much a normal running and operating off processes and procedures within the organization,
01:00
and ensuring that information can be used to monitor processes is being captured.
01:06
Here are a couple of processes that should be considered.
01:10
These processes have been planned previously, but these should now be officially implemented, if not done so already
01:17
and operated as per the defined and plan process.
01:22
Thes processes often feed into and support the achievement of information security objectives,
01:30
so you would have processes including risk management, incident management, business continuity, internal audits,
01:38
management reviews
01:38
and so forth.
01:41
You would also be busy with your risk treatment actions
01:45
as per your risk treatment, plan
01:49
your reporting structures and measuring
01:53
meeting structures within your information security areas.
01:57
Ideally, to support your SMS,
02:00
you would have something like an information security Forum which meets on a monthly
02:07
or more frequently basis
02:08
to discuss the pertinent issues relating to the ice mess
02:13
as well as information security as a whole
02:23
plan changes.
02:25
So for plan changes
02:28
which relate to any component of the Smiths or processes and components that fall within the scope of the isthmus,
02:35
there are a certain number of activities that should be performed.
02:38
This ensures that any changes own part of your operational planning and control.
02:46
So what do we need to consider
02:49
for plan changes?
02:51
We need to first the plan, the implementation
02:54
we need to ensure that tasks are identified.
02:58
Resource is, our assigned
03:00
responsibilities have been outlined
03:02
and deadlines established.
03:07
We then implement. According to this plan,
03:09
changes need to have plans
03:13
and should be implemented as planned.
03:19
You would then move on to monitoring the implementation
03:23
as the changes being implemented. Monitoring is required to ensure that the implementation
03:29
is actually taking place according to the plan.
03:32
This also serves
03:34
as a form of progress reporting
03:37
to ensure that the change is meeting its planned deadlines.
03:43
During all of these processes,
03:45
you'll want to collect and retain information
03:50
all planning, implementation and monitoring. We generate forms of documentation.
03:55
All of this should be retained as evidence of the change and that the change was implemented as planned.
04:11
So you can also have unplanned changes.
04:15
These can either be duty incidents that have occurred and change something
04:19
or some other incident that force changes to be made without an opportunity to fully plan.
04:26
There are a couple of things to take note of. With regards to unplanned changes,
04:30
changes of any nature can introduce new risks or opportunities for non conformity.
04:39
This is especially true for unplanned changes.
04:43
Having a nice mess is all about managing risks and unexpected events to have your organization be the most resilient and secure version of itself.
04:55
So for unplanned changes, we need to identify the consequences.
05:00
Have there been any new risks that have been introduced?
05:03
Were their potential control breakdowns or nonconformity ease.
05:10
We then need to identify the adverse effects
05:12
if there are any.
05:14
What is the effect and impact of the change
05:17
with the effects minor
05:19
or will major action be required?
05:25
What mitigation activities are acquired
05:29
If new risks have been introduced as a result of the unplanned change,
05:32
these need to be properly assist
05:34
and mitigated.
05:40
We also need to retain documented information,
05:43
all activities which pertains to unplanned changes,
05:47
as well as how the associated risks were mitigated.
05:57
If an organization outsources any of its functions
06:00
and these functions are part of the ice mess scope,
06:02
there are a couple of things to ensure are in place
06:05
specific to these functions
06:09
just because of function is out. Host
06:11
does not mean that the accountability is our host.
06:16
So with regards to out close functions,
06:19
ensure that all areas of outsourcing have been identified.
06:25
Make sure that appropriate interfaces with these are sourced service providers
06:30
and service level agreements for each one of them exist.
06:34
Quite importantly,
06:36
one needs to ensure that information security issues
06:41
are explicitly dress addressed in the service level agreements.
06:46
This forms part of your third party risk management processes.
06:50
You then also need to perform supplier monitoring and measurement
06:56
to ensure that the targets and information security requirements set forth in the service level agreements are achieved
07:03
if there are any changes to the supplier services
07:06
or requirements from US, the organization,
07:10
these need to be appropriately managed by both parties
07:13
and any subsequent updates to the ladies need to be made.
07:24
Four. Clause 8.1 What is the mandatory documentation that is required
07:30
for this clause? Anything that could demonstrate operational planning and control
07:34
that was being performed during the period being audited
07:38
well suffice.
07:40
Here are a couple of examples of what this could look like.
07:45
You could use budgets and updates to budgets for the Smiths and any of its projects, components or audits.
07:54
Hey, it counts for the Iceman's teams
07:58
Progress reports pertaining to the ice. MS Project
08:01
outputs from security processes occurring during the period,
08:07
for example, one ability assessments, test reports, incident reports and so forth
08:13
compliance activities and monitoring to check and enforce compliance
08:18
information pertaining to planned or unplanned changes and the management thereof
08:31
to summarize
08:33
in this lesson 6.1.
08:35
We covered what the standard requires for operational planning and control, also known as clause 8.1.
08:43
We also examined both planned and unplanned changes
08:46
and what their effects on the isthmus are and how these should be managed.
08:52
We briefly covered outsource functions and considerations to have in place for those.
08:58
Lastly, we looked at the required documentation for the clause.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By