Close Aides Operation
Operational planning and Control.
In this video, we will cover the requirements of Clause 8.1.
We will take a look at the plan changes and the affected thieve these have on the ice. Miss.
We will also look at unplanned changes and these effects on the ice myths,
and we'll take a brief look at our toes functions.
So do you remember back when we spoke about Clause six planning and we define processes there?
These processes now need to be implemented, operated and verified.
Activities here are pretty much a normal running and operating off processes and procedures within the organization,
and ensuring that information can be used to monitor processes is being captured.
Here are a couple of processes that should be considered.
These processes have been planned previously, but these should now be officially implemented, if not done so already
and operated as per the defined and plan process.
Thes processes often feed into and support the achievement of information security objectives,
so you would have processes including risk management, incident management, business continuity, internal audits,
You would also be busy with your risk treatment actions
as per your risk treatment, plan
your reporting structures and measuring
meeting structures within your information security areas.
Ideally, to support your SMS,
you would have something like an information security Forum which meets on a monthly
or more frequently basis
to discuss the pertinent issues relating to the ice mess
as well as information security as a whole
which relate to any component of the Smiths or processes and components that fall within the scope of the isthmus,
there are a certain number of activities that should be performed.
This ensures that any changes own part of your operational planning and control.
So what do we need to consider
We need to first the plan, the implementation
we need to ensure that tasks are identified.
Resource is, our assigned
responsibilities have been outlined
and deadlines established.
We then implement. According to this plan,
changes need to have plans
and should be implemented as planned.
You would then move on to monitoring the implementation
as the changes being implemented. Monitoring is required to ensure that the implementation
is actually taking place according to the plan.
as a form of progress reporting
to ensure that the change is meeting its planned deadlines.
During all of these processes,
you'll want to collect and retain information
all planning, implementation and monitoring. We generate forms of documentation.
All of this should be retained as evidence of the change and that the change was implemented as planned.
So you can also have unplanned changes.
These can either be duty incidents that have occurred and change something
or some other incident that force changes to be made without an opportunity to fully plan.
There are a couple of things to take note of. With regards to unplanned changes,
changes of any nature can introduce new risks or opportunities for non conformity.
This is especially true for unplanned changes.
Having a nice mess is all about managing risks and unexpected events to have your organization be the most resilient and secure version of itself.
So for unplanned changes, we need to identify the consequences.
Have there been any new risks that have been introduced?
Were their potential control breakdowns or nonconformity ease.
We then need to identify the adverse effects
What is the effect and impact of the change
with the effects minor
or will major action be required?
What mitigation activities are acquired
If new risks have been introduced as a result of the unplanned change,
these need to be properly assist
We also need to retain documented information,
all activities which pertains to unplanned changes,
as well as how the associated risks were mitigated.
If an organization outsources any of its functions
and these functions are part of the ice mess scope,
there are a couple of things to ensure are in place
specific to these functions
just because of function is out. Host
does not mean that the accountability is our host.
So with regards to out close functions,
ensure that all areas of outsourcing have been identified.
Make sure that appropriate interfaces with these are sourced service providers
and service level agreements for each one of them exist.
one needs to ensure that information security issues
are explicitly dress addressed in the service level agreements.
This forms part of your third party risk management processes.
You then also need to perform supplier monitoring and measurement
to ensure that the targets and information security requirements set forth in the service level agreements are achieved
if there are any changes to the supplier services
or requirements from US, the organization,
these need to be appropriately managed by both parties
and any subsequent updates to the ladies need to be made.
Four. Clause 8.1 What is the mandatory documentation that is required
for this clause? Anything that could demonstrate operational planning and control
that was being performed during the period being audited
Here are a couple of examples of what this could look like.
You could use budgets and updates to budgets for the Smiths and any of its projects, components or audits.
Hey, it counts for the Iceman's teams
Progress reports pertaining to the ice. MS Project
outputs from security processes occurring during the period,
for example, one ability assessments, test reports, incident reports and so forth
compliance activities and monitoring to check and enforce compliance
information pertaining to planned or unplanned changes and the management thereof
We covered what the standard requires for operational planning and control, also known as clause 8.1.
We also examined both planned and unplanned changes
and what their effects on the isthmus are and how these should be managed.
We briefly covered outsource functions and considerations to have in place for those.
Lastly, we looked at the required documentation for the clause.