Blog ISO Guide – Clause 8: Operation

What is Clause 8 about?

In the context of ISO management systems, Clause 8 refers to the “Operation” of the management system. This clause is a fundamental part of ISO standards, such as ISO 9001 (Quality Management), ISO 14001 (Environmental Management), ISO 45001 (Occupational Health and Safety Management).  The purpose of Clause 8 – Operation is to provide guidelines and requirements for effectively implementing the processes and activities necessary to achieve the organization’s objectives and deliver the products or services in line with its policies and plans. Clause 8 typically covers a range of topics related to the day-to-day operations of an organization and its management system. The specific content varies depending on the type of management system, but some common themes include:

1. Operational Planning: This involves defining processes and resources needed to achieve the organization’s goals. It includes considerations for identifying risks, opportunities, and potential impacts on quality, environment, health and safety, or other relevant aspects.
2. Resource Management: Ensuring that the necessary resources (human, infrastructure, technology, etc.) are available and allocated appropriately to support the operation of the management system and the organization’s overall objectives.
3. Product or Service Provision: This covers the processes involved in creating, producing, or delivering the organization’s products or services while adhering to specified requirements, including quality, environmental, and safety criteria.
4. Control of Processes, Products, and Services: Implementing controls to ensure that processes and products/services meet defined standards and requirements. This may involve inspections, testing, monitoring, and corrective actions.
5. Emergency Preparedness and Response: Establishing plans and procedures to handle potential emergencies or unexpected situations that could impact the organization’s operations, safety, or environment.

In essence, Clause 8 – Operation guides organizations on how to execute their plans, deliver their products/services, and maintain the effectiveness of their management system in line with the defined requirements and policies. It emphasizes the practical implementation of the management system standards, helping organizations to achieve consistent and desirable outcomes while managing risks and opportunities.

Let’s look at the specifics of some of the common standards.

ISO 9001 – Quality Management

Clause 8 in ISO9001 requires you to plan, control and implement process necessary for your products and services to conform with your requirements and those of the standard. It also has the only mandatory procedure, which is clause 8.4 – Control of externally provided processes, products and services. ISO 9001 is an international standard that outlines the requirements for a quality management system (QMS) within an organization. Clauses 8.1 to 8.7 of ISO 9001 pertain to the planning and realization of products and services, which are crucial aspects of maintaining consistent quality throughout an organization’s processes. Here’s a brief explanation of each of these clauses:

• 8.1 Operational Planning and Control: This clause emphasizes the importance of systematically planning and controlling the processes needed to produce products and services that meet customer requirements. It involves defining criteria for processes, ensuring availability of resources, and identifying potential risks and opportunities that could affect the quality of outputs.
• 8.2 Requirements for Products and Services: In this clause, organizations are required to establish and document the criteria for reviewing, verifying, and validating product or service requirements. This ensures that customer needs and expectations are clearly understood and translated into specific characteristics that products or services must possess.
• 8.3 Design and Development of Products and Services: Organizations must follow a structured approach to design and development, including identifying design inputs, conducting reviews, verifying designs, and validating them to ensure they meet the specified requirements before moving into production.
• 8.4 Control of Externally Provided Products and Services: This clause pertains to controlling the quality of products and services that are provided by external suppliers. Organizations are required to assess and select suppliers based on their ability to meet quality standards, establish clear requirements, and monitor supplier performance.
• 8.5 Production and Service Provision: This clause addresses the actual processes of producing and providing services. It covers factors such as controlling production and service provision, ensuring product and service conformity, preventing mix-ups, and preserving the integrity of products during handling and storage.
• 8.6 Release of Products and Services: Before products or services are delivered to customers, organizations must have a process in place to verify that all requirements have been met. This includes inspections, tests, and approvals to ensure the final output is of the desired quality.
• 8.7 Control of Nonconforming Outputs: This clause deals with products and services that do not meet established requirements, referred to as “nonconforming outputs.” Organizations need to have procedures for identifying, segregating, evaluating, and taking appropriate action on such nonconformities to prevent their unintended use or delivery.

These clauses collectively emphasize the significance of meticulous planning, effective control, and continuous monitoring to ensure that products and services consistently meet or exceed customer expectations. Adhering to these clauses helps organizations enhance their quality management systems and ultimately deliver better value to their customers.

Links to other areas of the ISO9001 standard

It’s important to understand how the requirements in Clause 8 relate to other clauses within the standard. Alignment with other clauses is as follows:

• Clause 4: Context of the Organization: The context analysis identifies the external and internal factors that can affect the organization’s operations, helping to determine risks and opportunities.
• Clause 5: Leadership: Leadership’s commitment to quality and their involvement in the operational processes are critical for successful implementation.
• Clause 6: Planning: Quality objectives are established, and operational planning takes place to achieve these objectives.
• Clause 7: Support: Resources, including competent personnel and infrastructure, are provided to support the operational processes.
• Clause 9: Performance Evaluation: Monitoring, measuring, analysing, and evaluating operational performance help to identify areas for improvement.
• Clause 10: Improvement: Actions to improve operational processes are taken based on the results of performance evaluations.

ISO 14001 – Environmental Management

With Clause 8 in ISO 14001, you are required to develop operational planning, emergency response, and environmental monitoring. ISO 14001 is an international standard that focuses on environmental management systems (EMS), helping organizations establish a framework to manage their environmental responsibilities effectively. Clauses 8.1 and 8.2 of ISO14001 are part of the “Operation” phase, which deals with the execution of the environmental management system.

Here’s a brief explanation of each of these clauses:

• 8.1 Operational Planning and Control: This clause highlights the importance of planning and controlling an organization’s operations in a manner that takes into account the potential environmental impacts. It requires organizations to establish and maintain procedures that ensure their operations are carried out in accordance with the environmental objectives and targets set in the earlier phases of the EMS. The aim is to prevent or minimize adverse environmental effects and promote sustainable practices. Key points addressed in this clause include:
  • Identifying Significant Environmental Aspects: Organizations need to identify activities, products, and services that can have a significant impact on the environment.
  • Legal and Other Requirements: Ensuring compliance with relevant environmental laws, regulations, and other requirements is a crucial part of operational planning.
  • Operational Control: Organizations must implement controls to manage and mitigate the identified environmental aspects. This might involve specifying procedures, work instructions, and performance criteria for activities that have potential environmental impacts.
• 8.2 Emergency Preparedness and Response: This clause focuses on preparing for and responding to environmental emergencies. Organizations need to identify potential environmental emergencies, establish procedures to address them, and periodically test and review these procedures to ensure their effectiveness. The aim is to minimize the impact of emergencies on the environment, human health, and safety. Key points addressed in this clause include:
  • Emergency Preparedness: Organizations must develop plans to effectively respond to various types of environmental emergencies, such as spills, leaks, or other incidents that could harm the environment.
  • Response Procedures: Clear procedures and responsibilities must be defined for managing emergencies, including communication, containment, and corrective actions.
  • Training and Drills: Personnel should be trained in emergency response procedures, and regular drills or simulations should be conducted to ensure readiness.
  • Continuous Improvement: Lessons learned from emergency situations should be used to improve emergency response plans and procedures over time.

These clauses collectively guide organizations in aligning their operations with environmental objectives, minimizing negative environmental impacts, and being prepared to handle emergencies that might arise. This approach helps organizations demonstrate their commitment to sustainable practices and responsible environmental management.

Links to other areas of the 14001 standard

As with ISO9001, the areas covered in Clause 8 of ISO14001 mesh with other parts of the standard in the following way:

• Clause 4: Context of the Organization: Understanding the environmental context helps identify the environmental aspects and impacts to be addressed in the operational processes.
• Clause 5: Leadership: Leadership commitment is crucial for the effective implementation of environmental controls and resource allocation.
• Clause 6: Planning: Environmental objectives and targets are set, and operational planning takes place to achieve these objectives.
• Clause 7: Support: Resources, awareness, and competence are provided to support the operational processes.
• Clause 9: Performance Evaluation: Monitoring, measuring, analysing, and evaluating environmental performance helps identify areas for improvement.
• Clause 10: Improvement: Actions to improve environmental performance are taken based on the results of performance evaluations.

ISO 45001 – Occupational Health and Safety

Within Clause 8, ISO 45001 requires you to plan, control hazards and mitigation, manage change and procurement, and prepare emergency responses. ISO 45001 is an international standard that sets the requirements for occupational health and safety management systems (OHSMS). It provides a framework for organizations to manage and improve their occupational health and safety performance. Clauses 8.1 and 8.2 of ISO 45001 are part of the “Operation” section of the standard, focusing on the implementation and control of the OHSMS. Here’s a brief explanation of each of these clauses:

• 8.1 Operational Planning and Control: This clause emphasizes the need for organizations to establish and maintain procedures to effectively plan, implement, and control their operational processes in a manner that addresses health and safety risks and opportunities. The primary goal is to prevent work-related injuries, illnesses, and incidents. Key aspects covered in this clause include:
• Identification of Hazards and Risks: Organizations need to identify potential hazards in their operational processes and assess the associated risks to worker health and safety.
• Determination of Necessary Controls: Based on the hazard and risk assessments, organizations must determine appropriate controls to mitigate or eliminate these hazards and reduce the associated risks.
• Operational Controls: Procedures and measures must be established to ensure that workers are protected from identified hazards during their tasks. This might involve specifying safe work practices, using protective equipment, and implementing engineering controls.
• 8.2 Management of Change: This clause addresses the need for organizations to effectively manage changes that could impact occupational health and safety. Changes can include modifications to processes, equipment, personnel, or the working environment. Key points addressed in this clause include:
  • Identification of Changes: Organizations must have a process to identify and assess changes that could affect health and safety. This ensures that potential risks associated with changes are recognized and addressed.
  • Assessment of Impacts: Before implementing changes, organizations need to evaluate the potential impact on worker health and safety and take appropriate measures to control these impacts.
  • Communication and Training: Workers and relevant stakeholders should be informed about changes and provided with necessary training to safely navigate the new conditions.
  • Monitoring and Review: The effects of changes on health and safety should be monitored and reviewed to ensure that the intended outcomes are achieved and that new risks are promptly addressed.

These clauses guide organizations in effectively managing their operational processes to ensure the health and safety of their workers. By identifying risks, implementing controls, and managing changes carefully, organizations can maintain a safe and healthy work environment and continuously improve their OHSMS performance.

Links to other areas of the 45001 standard

Alignment with other clauses within ISO45001 is as follows:

• Clause 4: Context of the Organization: Understanding the context helps identify the occupational health and safety risks and opportunities in the operational processes.
• Clause 5: Leadership: Leadership commitment is crucial for implementing and maintaining effective operational controls.
• Clause 6: Planning: Objectives and action plans are established to control occupational health and safety risks in the operational processes.
• Clause 7: Support: Resources, training, and awareness are provided to support the operational controls.
• Clause 9: Performance Evaluation: Monitoring, measuring, analysing, and evaluating occupational health and safety performance helps identify areas for improvement.
• Clause 10: Improvement: Actions to improve occupational health and safety performance are taken based on the results of performance evaluations.

ISO/IEC 27001 – Information security, cybersecurity and privacy protection

Clause 8 in ISO 27001 requires the organisation to develop operational planning and control, information security risk assessments and treatments. This clause provides the framework to establish operational planning and control, risk assessment and treatment, business continuity planning and disaster recovery and monitoring, measurement, analysis and evaluation. Here’s a brief explanation of these clauses:

• Clause 8.1 – Operational Planning and Control: This clause focuses on the operational aspects of managing information security within an organization. It emphasizes the need to establish processes and controls that ensure information security requirements are met while carrying out daily operations. Key points covered in this clause include:
• Risk assessment and Treatment: Organizations must continue to assess risks to their information assets and implement appropriate measures to manage and mitigate these risks.
• Selection of Controls: Based on the risk assessment, organizations need to select and implement appropriate security controls from the ISO 27001 Annex A, which provides a comprehensive set of controls addressing various aspects of information security.
• Documentation of Controls: The controls selected for implementation must be documented, along with the procedures and guidelines for their effective use.
• Clause 8.2 – Information Security Risk Assessment: This clause centres on the ongoing process of assessing and managing information security risks. It’s a critical component of the ISMS as it helps organizations proactively identify potential vulnerabilities and threats. Key aspects covered in this clause include:
  • Risk Assessment Process: Organizations need to establish a structured process to identify, assess, and prioritize information security risks.
  • Risk Treatment: Based on the risk assessment results, organizations must decide on appropriate risk treatment strategies, which may involve avoiding, mitigating, transferring, or accepting risks.
  • Review and Iteration: The risk assessment process should be reviewed and updated regularly to account for changes in the organization’s context and the evolving threat landscape.
• Clause 8.3 – Information Security risk treatment: This clause directs the organization to implement the information security risk treatment plans that were defined in clause 6.1.3. Key points covered in this clause include:
• During the operation of the ISMS, whenever the risk assessment is updated, the organization then applies the risk treatment consistent with clause 6.1.3 (information security risk treatment) and updates the risk treatment plan. Then the risk treatment plan is again implemented.
• The information security risk treatment process should be performed after each iteration of the security assessment process in clause 8.2 or when the implementation f the risk treatment plan or parts of it fails.
• These clauses collectively guide organizations in establishing effective information security management systems, which are crucial in protecting sensitive information from unauthorized access, breaches, and other security threats.

Links to other areas of the 27001 standard

As with the other standards, there is a high degree of alignment with other clauses:

• Clause 4: Context of the Organization: Understanding the information security context helps identify the risks and opportunities related to information security in operational processes.
• Clause 5: Leadership: Leadership commitment is essential for implementing and maintaining effective information security controls.
• Clause 6: Planning: Plans are established to protect information assets in operational processes through information security risk assessments and risk treatments. Planning: Information security objectives and how to achieve them.
• Clause 7: Support: Resources, training, and awareness are provided to support the implementation of information security controls.
• Clause 9: Performance Evaluation: Monitoring, measuring, analysing, and evaluating information security performance helps identify areas for improvement.
• Clause 10: Improvement: Actions to improve information security performance are taken based on the results of performance evaluations.

In summary

Clause 8 in each of these ISO management systems deals with operational aspects related to quality, environmental management, occupational health and safety, or information security, depending on the standard.

The alignment with other clauses ensures that the operational processes are well-integrated into the overall management system, thereby contributing to the achievement of organizational objectives and continuous improvement.

For some of the standards discussed (such as ISO27001), clause 8 is not a lengthy one, whereas for others it takes up many pages of the standard document. Consequently, the length of time you will spend on this clause will vary significantly according to the standard you are implementing.

Written by Ken Holmes and Ted Spiller. 

Ken is CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

Ted is CertiKit’s Compliance Consultant, and an expert in many ISO management systems; he is a Lead Auditor for ISO27001, ISO9001 and ISO14001 and Auditor for ISO45001 and ISO22301.

How can CertiKit help with your ISO Implementation?