Operational Planning and Control (OPC)
Operational Planning and Controls are an important topic in the ISO 27001 standard . Annex A consists of 11 4 controls . You will need to adopt, implement and maintain controls.
There are 2 ways that you can define and implement controls:
- Take the ISO 27001 Annex A list and define all the controls at the beginning;
- Gradually define controls as you follow the DIY Roadmap and adopt policies/procedures or perform assessments. Check that all Annex A controls are in place at the end.
Both have their advantages. We believe that for embedding and customizing controls, it’s better that you understand if and why you need them when you’re building your ISMS. But of course, it’s up to you.
If you’ve bought the ISO 27001 standard, you can use Annex A as a list for your controls.
In the section ‘Policies & Procedures’ you will find a template ‘Overview Controls ISO 27001 & GDPR’. This is a list of controls (for GDPR and for ISO 27001) that you can use instead of Annex A.
The template will give you suggestions for:
- Procedure
- Evidence
- How evidence is embedded in Compleye Online
- Frequency
- If the implementation is mandatory, voluntary or recommended.
Below is the description of the control functionalities in Compleye Online.
A control is an activity that must be performed on a regular basis to reduce a potential risk and whose effectiveness must be evaluated at least on a yearly basis. There are 2 overviews for Controls:
- Schedule View – overview of controls in the order in which they must be performed. Easy to use during security meetings to check which controls are overdue.
- List View – complete overview of all controls defined, easy to use to select on specific owner, type or status.
Don’t forget to add tips/notes – in procedures/info feature – for yourself and your team members.
Create a Control
Use the yellow button to create a control.
It will create a new screen:
- Left side: OPC Details
- Right side: OPC Executions – this side will start working when you have defined and saved the Control Details.
OPC Details
Every field marked with * is a mandatory field to be filled in the list of fields with additional explanation.
- OPC Name: Name your control – make it as clear as possible, so you and your team members know what the purpose of this control is. [eg, Check hardware asset list]
- Owner: Someone from your ISMS team should be the owner.
- Start month: Assign a month to start with this control. Note: execution will begin based on what you decide, so be sure to start on time, because you don’t want to start with an overdue control. If you’re not sure, schedule it for later in the year. It’s easier to reschedule it to an earlier month.
- Frequency: Minimum = once a year; maximum = every month. Try to be reasonable about what you can achieve; you can change the frequency at a later stage if needed.
- OPC Type: This is in case you adopt more frameworks/standards and want to have an overview of controls for 1 particular standard. If this is your first, then choose ISO 27001- Security. A lot of the ISO 27001 controls will be used for other frameworks too, so we add multiple framework labels on the same control.
- Procedure/Criteria: Describe how you will perform the control . This could be a short procedure/check with some steps to be performed. If you have a standard procedure for this control, you can also make use of the ‘upload document’ functionality. Please make sure you make reference to the document in this field.
- Definition of Evidence: Compliance is all about evidence. No evidence means it didn’t happen. It’s also mandatory to define what you’ll consider as evidence. The owner is not always the one that will perform the control, so make sure that the implementer will understand what is being expected.
Examples that can be used for evidence:
- Upload a link to another environment where the evidence can be viewed.
- Notes of a meeting.
- Copies or emails.
- etc. Try to be as specific and practical as possible.
- Documents: For any use eg, standard procedures; examples of evidence.
- Remarks: If you’ll make changes over time (eg, change the frequency, evidence or procedure), you can explain why you’ve made changes in this control. If you want to archive this control, use this field to explain why the control is not applicable anymore.
Once you’ve added all the information, you’ll need to save the Control first.
And you will return to the Schedule View.
Check if your control is added to the first month you’ve assigned it to.
[In the example below: ID #635]
If you open the control, you ‘ll see that the right side of the control is now in use. It will automatically generate executions of the control in the frequency that you have assigned to the control.
OPC Executions
You can open the Execution by clicking on
There is a lot going on, on this side of the control. We have already embedded more functionalities in this part of our platform than are needed for ISO 27001 . For eg : Quality requirements and SOC-2 are in this section. We advise you to make use of all of the functionalities . It’s an easy job and you’re already working towards a more professional Quality System. 
Below, a description of every field.
OPC Interval This is pre-set [combination of set frequency and starting months].
Assigned to Preset [name Owner ].
Status You can choose different statuses:
- Open – default state
- Ready for Evaluation –if you executed the control and want to discuss/evaluate with eg, the ISMS Team during the security meeting.
- Finalized – you have executed the control and are happy with the result and want to close it. When choosing ‘Finalised’, it will indicate – in red – which fields are mandatory.
- Skipped – there is a good reason why you didn’t perform this execution and there is no need for evaluation with the ISMS team. Make sure that you have documented the reason for skipping in the remarks.
- Rescheduled – in case a ‘Start Month’ or frequency is changed.
Executed by This person can be different to the (assigned) owner.
Execution Proof Perform the control according to the control details (left side).
Has the effectiveness of the control been verified? This part is not mandatory for ISO 27001. However, it will be for other standards (eg, ISAE/SOC 2). It ’s an easy step to take , so we advise you to implement this from the start and check the effectiveness guidelines, by making use of the blue link.
- Choose Yes if you agree with the Effectiveness Check – Control Questions. Make sure you have added evidence and choose status ‘ Finalised’ .
- Choose No if you think it’s time to change the control . In this case you’ll need to add a remark (will pop-up automatically) and choose the status Ready for Evaluation . Make sure it will be on the agenda for your next security meeting. You can add a comment in section Operations – Security Meeting.
Documents / Links
Evidence can be uploaded via a document or add a link.
TIP : If you just want to add a control and will finalize it later, make sure your Start Month is far in the future . O therwise Compleye Online will plan executions when you may not be ready.
Add new control
| FieldName | Description | Example |
| Control name | free text field – write what is the control for | Database restore test |
| Owner | select from drop down list who is responsible for executing / performing the control | { name } |
| Start month | select the date when control will need to be performed for the first time | { date from now till +3 months } |
| frequency | select from the drop down list frequency at which control needs to be performed. Make sure you check mandatory frequencies for mandatory controls by ISO 27001 | once a year |
| control types | Select from the drop down list type of the control – this is functionality for when you are adopting more than one standard, so you can distinguish controls between standards for your own overview. If security ISO 27001 is the only one at the moment, select ISO 27001 security | ISO27001 security |
| Procedure/Criteria | free text field – Describe how you will perform the check. | the CTO will perform a database restore test |
| Definition of evidence | free text field – explain what are you enclosing as the evidence of control being performed – refer to section above | we will need screenshots of the performed activities, with visible dates and person who performed the control. |
| documents | + upload – here you upload any supporting templating, procedure, document that is relevant to performing the control | |
| Remarks | free text field – leave a note, extra info, or a follow up |
Execute the control
| FieldName | Description | Example |
| Control Interval | That is pre-set [combination of set frequency and starting months] | Feb 01, 2022 – Mar 31, 2022 |
| Assigned to | select from drop down list who is assigned to execute the control. The Owner can assign the execution to someone else besides himself | { name } |
| Status | select from drop down list – open/ ready for evaluation/ finalized/ skipped. “Open” is set as default, you need to change it manually when the control is executed. Refer to “how” section of this wiki page for more clarification on status | Open |
| Executed by | select from drop down list who executed the control. The person assigned can assign someone else – eg holidays or other reasons | { name } |
| Execution proof | ||
| Has the effectiveness of the control been verified? | This part is not mandatory for ISO27001 – however will be for other Standards (eg ISAE/SOC 2). However it is an easy step to take to keep your ISMS lean – because if you are performing controls that are not efficient, effective, always on time etc. we should change that. Read the effectiveness guidelines. Choose Yes if you agree with the Effectiveness Check – Control Questions. Make sure you added the evidence and selected status Finalized . Choose No is you think it is time to change something. In this case you will need to add a remark (will pop-up automatically) and choose the status Ready for Evaluation . | |
| Documents / Links | It is mandatory to upload evidence – If you cannot prove it, it did not happen. | upload the pdf of database restore test run with the date and result |
