Knowledge Hub

ISO 27001 Clause 8:Putting the plan into action

Clause 6 gives you the plan; Clause 8 is where you run it. This guide breaks ISMS operation into four workstreams — operational plan, risk treatment, corrective actions, and general tasks — and shows how to manage each so your ISMS actually runs and holds up at Stage 2.

4 min read
ArticleGlobalGovernance & ComplianceISO 27001

Clause 6 gives you a plan. Clause 8 decides whether it becomes a system you run every week or a document you revisit once a year in a panic. The teams that make it work stop treating ISMS work as one long to-do list and split it into a handful of workstreams, each with a clear job and an owner. This article covers the four that carry most of the load — the operational plan, risk treatment, corrective actions, and general ISMS tasks.

Clause 8 in plain terms

Clause 8 (Operation) is the "do" in Plan-Do-Check-Act. It asks you to plan, implement and control the processes that meet your information security requirements and carry out the actions you decided on in Clause 6. In plain terms, it's where the risk treatment plan gets delivered and where the day-to-day running of the ISMS happens.

That work comes in two shapes. Some of it recurs on a schedule — user access reviews, management reviews, internal audits, measuring your KPIs. Some of it is one-off — configuring MFA on a new system, closing a specific finding. Clause 8 also asks you to keep enough records to show the work was done as planned. Both the recurring and the one-off need somewhere to live, and that is the case for workstreams.

Why an ISMS runs better as workstreams

ISMS work is genuinely mixed — recurring operations, risk-driven changes, audit findings to fix, and the odd task that fits nowhere. Pour all of that into a single list and the recurring work gets buried under whatever is loudest that week. Splitting it into a few persistent buckets — epics in Jira, milestones in GitHub, or dedicated projects in a compliance tool — gives each type of activity its own home, cadence, and owner. It also turns the tool into your evidence trail, which we will come back to. Four workstreams cover most of it.

Operational Plan

The operational plan holds the recurring, calendar-driven work — the control operation you can schedule a year in advance. Typical entries include updating the organisation chart, running the internal audit, reviewing access-control lists, and testing business continuity. It maps to the operational-control side of Clause 8.1.

The pattern that keeps it healthy is an annual cycle. The plan is rolled forward and reviewed once a year, so each period starts from a reviewed baseline rather than a blank page. One small habit makes it usable day to day — sort the workstream by due date ascending, so the next thing due is always at the top and nothing slips quietly past its date.

Risk Treatment

The risk treatment workstream holds every to-do that comes out of your risk assessment and treatment process. When a risk above your acceptance threshold needs mitigating, transferring, or avoiding, those actions land here. This is Clause 8.3 in practice, delivering the risk treatment plan you built under Clause 6 — the methodology, scoring, and treatment choices we walk through in our guide to Clauses 6 and 8.

Each item works best when it traces back to a specific risk on your register, names a single owner, and closes with evidence that the treatment is actually operating rather than just marked done. That traceability is exactly what an auditor follows from risk, to control, to proof.

Corrective Action Log

The corrective action log captures corrective actions arising from nonconformities, observations, and opportunities for improvement — whether they surface through internal or external audits, KPI measurement, management review, or any other monitoring and review activity. Governed by Clause 10.2, it is operated here as a live log rather than a once-a-year clean-up.

A consistent template is what makes it defensible, capturing the classification, the type, and the root cause behind each entry, so a fix addresses the cause and not just the symptom. For the full mechanics of corrective action, see the Clause 10.2 article.

ISMS Tasks

The last workstream is the catch-all. ISMS tasks are the one-off, general activities that do not belong under corrective action, risk treatment, or the recurring operational plan — things like a specific communication to top management. Giving them a named home stops these odd jobs from being lost in someone's inbox, and keeps the other three workstreams clean and focused.

How the four fit together

The four are not isolated. The operational plan runs the routine and surfaces findings, risk treatment delivers the changes your risk work calls for, the corrective action log catches what goes wrong, and ISMS tasks mop up the rest. Between them they span more than Clause 8 alone — the recurring audits and KPI measurement feed Clause 9's monitoring and management review, and corrective actions sit in Clause 10. Clause 8 is simply where the operating happens and where the inputs to those clauses are produced. Some teams add further buckets for exactly this reason, such as KPI measurement or ISMS change and scope tracking.

The tool is your evidence

Running these workstreams in a project tool does more than keep you organised. Clause 8 requires documented information showing processes were carried out as planned, and a well-kept board delivers that as a by-product — every item carries its owner, its dates, its status, and its closure evidence, with a history you did not have to assemble after the fact. When a Stage 2 auditor asks whether your ISMS is actually run or merely documented, the board is the answer.

What auditors look for

At Stage 2, auditors treat operation as the reality check on your plan. They look for an operational plan that is genuinely on a cycle rather than dormant, a risk treatment workstream that is progressing with owners and dates that mean something, a corrective action log that is alive and closing items with evidence, and a Statement of Applicability that matches what is really running. Empty or abandoned workstreams tell them the opposite.

Where to start

Set up the four buckets in whatever tool you already use, give each a single accountable owner, and load the operational plan with your recurring annual tasks sorted by due date. Route new risk actions into risk treatment, new findings into the corrective action log, and everything else into ISMS tasks. Do that, and Clause 8 stops being the place a certification stalls and becomes the place the ISMS actually runs.

ISO 27001 · Clause 8

Is your ISMS actually running?

A documented ISMS isn't a running one. We help you turn Clause 8 into managed workstreams that produce the evidence a Stage 2 auditor follows.

  • By active auditors
  • 50+ Compliant clients
  • Run all four workstreams in one place
Book a free consultation