Clause 8 in plain terms
Clause 8 (Operation) is the "do" in Plan-Do-Check-Act. It asks you to plan, implement and control the processes that meet your information security requirements and carry out the actions you decided on in Clause 6. In plain terms, it's where the risk treatment plan gets delivered and where the day-to-day running of the ISMS happens.
That work comes in two shapes. Some of it recurs on a schedule — user access reviews, management reviews, internal audits, measuring your KPIs. Some of it is one-off — configuring MFA on a new system, closing a specific finding. Clause 8 also asks you to keep enough records to show the work was done as planned. Both the recurring and the one-off need somewhere to live, and that is the case for workstreams.
Why an ISMS runs better as workstreams
ISMS work is genuinely mixed — recurring operations, risk-driven changes, audit findings to fix, and the odd task that fits nowhere. Pour all of that into a single list and the recurring work gets buried under whatever is loudest that week. Splitting it into a few persistent buckets — epics in Jira, milestones in GitHub, or dedicated projects in a compliance tool — gives each type of activity its own home, cadence, and owner. It also turns the tool into your evidence trail, which we will come back to. Four workstreams cover most of it.
Operational Plan
The operational plan holds the recurring, calendar-driven work — the control operation you can schedule a year in advance. Typical entries include updating the organisation chart, running the internal audit, reviewing access-control lists, and testing business continuity. It maps to the operational-control side of Clause 8.1.
The pattern that keeps it healthy is an annual cycle. The plan is rolled forward and reviewed once a year, so each period starts from a reviewed baseline rather than a blank page. One small habit makes it usable day to day — sort the workstream by due date ascending, so the next thing due is always at the top and nothing slips quietly past its date.
Risk Treatment
The risk treatment workstream holds every to-do that comes out of your risk assessment and treatment process. When a risk above your acceptance threshold needs mitigating, transferring, or avoiding, those actions land here. This is Clause 8.3 in practice, delivering the risk treatment plan you built under Clause 6 — the methodology, scoring, and treatment choices we walk through in our guide to Clauses 6 and 8.
Each item works best when it traces back to a specific risk on your register, names a single owner, and closes with evidence that the treatment is actually operating rather than just marked done. That traceability is exactly what an auditor follows from risk, to control, to proof.
Corrective Action Log
The corrective action log captures corrective actions arising from nonconformities, observations, and opportunities for improvement — whether they surface through internal or external audits, KPI measurement, management review, or any other monitoring and review activity. Governed by Clause 10.2, it is operated here as a live log rather than a once-a-year clean-up.
A consistent template is what makes it defensible, capturing the classification, the type, and the root cause behind each entry, so a fix addresses the cause and not just the symptom. For the full mechanics of corrective action, see the Clause 10.2 article.
ISMS Tasks
The last workstream is the catch-all. ISMS tasks are the one-off, general activities that do not belong under corrective action, risk treatment, or the recurring operational plan — things like a specific communication to top management. Giving them a named home stops these odd jobs from being lost in someone's inbox, and keeps the other three workstreams clean and focused.
How the four fit together
The four are not isolated. The operational plan runs the routine and surfaces findings, risk treatment delivers the changes your risk work calls for, the corrective action log catches what goes wrong, and ISMS tasks mop up the rest. Between them they span more than Clause 8 alone — the recurring audits and KPI measurement feed Clause 9's monitoring and management review, and corrective actions sit in Clause 10. Clause 8 is simply where the operating happens and where the inputs to those clauses are produced. Some teams add further buckets for exactly this reason, such as KPI measurement or ISMS change and scope tracking.
The tool is your evidence
Running these workstreams in a project tool does more than keep you organised. Clause 8 requires documented information showing processes were carried out as planned, and a well-kept board delivers that as a by-product — every item carries its owner, its dates, its status, and its closure evidence, with a history you did not have to assemble after the fact. When a Stage 2 auditor asks whether your ISMS is actually run or merely documented, the board is the answer.
What auditors look for
At Stage 2, auditors treat operation as the reality check on your plan. They look for an operational plan that is genuinely on a cycle rather than dormant, a risk treatment workstream that is progressing with owners and dates that mean something, a corrective action log that is alive and closing items with evidence, and a Statement of Applicability that matches what is really running. Empty or abandoned workstreams tell them the opposite.
Where to start
Set up the four buckets in whatever tool you already use, give each a single accountable owner, and load the operational plan with your recurring annual tasks sorted by due date. Route new risk actions into risk treatment, new findings into the corrective action log, and everything else into ISMS tasks. Do that, and Clause 8 stops being the place a certification stalls and becomes the place the ISMS actually runs.