# Clause 8: Operation Clause 8 puts into words the requirement to plan and implement an ISMS, referencing the actions determined in Clause 6. It is the execution of the Information Security Objectives with established criteria for subsequent processes - with required documentation available to assure confidence that processes are carried out as planned (8.1). Planned changes must also be controlled, and 'unintended changes' reviewed - with mitigation of adverse effects as necessary. Externally provided processes, products or services relevant to the ISMS are also to be controlled (8.1). > ⛵️The use of 'unintended changes' is a simple recognition of human behaviour within complex systems - good system design must account for unintended changes with a sensor to inform review that promotes conformity, otherwise the system will degrade. h Here's my visualisation of the circular process by which Clause 6 informs Clause 8, and what the byproducts may be: ![[Clause6-Clause8-flowchart.svg]] ### Information Security Risk Assessment (8.2) > Plan RAs > Carry out RAs > Document them It’s important to carry out and document risk assessments at planned intervals or when significant changes are proposed to occur. This needs to be done in accordance with the existing criteria that was established in Risk Assessments 6.2a (8.2). The results of Information Security risk assessments must also be documented. ### Information Security Risk Treatment (8.3) > Implement the risk treatment plan > Document the results The organisation needs to implement the Information Security Risk Treatment plan we determined in section 6.1.3, and the results need to be documented.