Operational Planning and Control (OPC)

Operational Planning and Controls are an important topic in the ISO 27001 standard . Annex A consists of 11 4 controls . You will need to adopt, implement and maintain controls.  
 

There are 2 ways that you can define and implement controls: 

  1. Take the ISO 27001 Annex A list and define all the controls at the beginning;  
  2. Gradually define controls as you follow the DIY Roadmap and adopt policies/procedures or perform assessments. Check that all Annex A controls are in place at the end. 

Both have their advantages. We believe that for embedding and customizing controls, it’s better that you understand if and why you need them when you’re building your ISMS. But of course, it’s up to you.  

If you’ve bought the ISO 27001 standard, you can use Annex A as a list for your controls.  

In the section ‘Policies & Procedures’ you will find a template ‘Overview Controls ISO 27001 & GDPR’. This is a list of controls (for GDPR and for ISO 27001) that you can use instead of Annex A.

The template will give you suggestions for:

  • Procedure 
  • Evidence 
  • How evidence is embedded in Compleye Online 
  • Frequency 
  • If the implementation is mandatory, voluntary or recommended. 

Below is the description of the control functionalities in Compleye Online.  

A control is an activity that must be performed on a regular basis to reduce a potential risk and whose effectiveness must be evaluated at least on a yearly basis. There are 2 overviews for Controls: 

  1. Schedule View   – overview of controls in the order in which they must be performed. Easy to use during security meetings to check which controls are overdue.  
  2. List View  – complete overview of all controls defined, easy to use to select on specific owner, type or status.   

Don’t forget to add tips/notes – in  procedures/info feature  – for yourself and your team members.  

Create a Control 

Use the yellow button to create a control.

 A picture containing logo Description automatically generated

It will create a new screen: 

  • Left side: OPC Details 
  • Right side: OPC Executions – this side will start working when you have defined and saved the Control Details. 
     

OPC Details 

Every field marked with * is a mandatory field to be filled in the list of fields with additional explanation.

  • OPC Name:  Name your control – make it as clear as possible, so you and your team members know what the purpose of this control is. [eg, Check hardware asset list]
  • Owner: Someone  from your ISMS team should be the owner.
  • Start month: Assign a month to start with this control. Note: execution will begin based on what you decide, so be sure to start on time, because you don’t want to start with an overdue control. If you’re not sure, schedule it for later in the year. It’s easier to reschedule it to an earlier month. 
  • Frequency: Minimum = once a year; maximum = every month. Try to be reasonable about what you can achieve; you can change the frequency at a later stage if needed.  
  • OPC Type: This is in case you adopt more frameworks/standards and want to have an overview of controls for 1 particular standard. If this is your first, then choose ISO 27001- Security. A lot of the ISO 27001 controls will be used for other frameworks too, so we add multiple framework labels on the same control.
  • Procedure/Criteria:  Describe how you will perform the control . This could be a short procedure/check with some steps to be performed. If you have a standard procedure for this control, you can also make use of the ‘upload document’ functionality. Please make sure you make reference to the document in this field. 
  • Definition of Evidence: Compliance is all about evidence. No evidence means it didn’t happen. It’s also mandatory to define what you’ll consider as evidence. The owner is not always the one that will perform the control, so make sure that the implementer will understand what is being expected. 

      Examples that can be used for evidence: 

          • Upload a link to another environment where the evidence can be viewed. 
          • Notes of a meeting. 
          • Copies or emails.  
          • etc. Try to be as specific and practical as possible.
        • Documents: For any use eg, standard procedures; examples of evidence.
        • Remarks: If you’ll make changes over time (eg, change the frequency, evidence or procedure), you can explain why you’ve made changes in this control. If you want to archive this control, use this field to explain why the control is not applicable anymore.  
           

                  Once you’ve added all the information, you’ll need to save the Control first. 

                   And you will return to the Schedule View.

                  Check if your control is added to the first month you’ve assigned it to.

                  [In the example below: ID #635]  

                  If you open the control, you ‘ll see that the right side of the control is now in use. It will automatically generate executions of the control in the frequency that you have assigned to the control.  

                  OPC Executions 

                  You can open the Execution by clicking on

                  There is a lot going on, on this side of the control. We have already embedded more functionalities in this part of our platform than are needed for ISO 27001 . For eg : Quality requirements and SOC-2 are in this section. We advise you to make use of all of the functionalities . It’s an easy job and you’re already working towards a more professional Quality System.  

                  Below, a description of every field. 

                  OPC Interval This is pre-set [combination of set frequency and starting months].

                  Assigned to Preset [name Owner ].

                  Status You can choose different statuses: 

                  • Open  – default state 
                  • Ready for Evaluation  –if you executed the control and want to discuss/evaluate with eg, the ISMS Team during the security meeting. 
                  • Finalized  – you have executed the control and are happy with the result and want to close it. When choosing ‘Finalised’, it will indicate – in red – which fields are mandatory. 
                  • Skipped – there is a good reason why you didn’t perform this execution and there is no need for evaluation with the ISMS team. Make sure that you have documented the reason for skipping in the remarks. 
                  • Rescheduled –  in case a ‘Start Month’ or frequency is changed. 
                     

                  Executed by This person can be different to the (assigned) owner.

                  Execution Proof Perform the control according to the control details (left side).

                  Has the effectiveness of the control been verified? This part is not mandatory for ISO 27001. However, it will be for other standards (eg, ISAE/SOC 2). It ’s an easy step to take , so we advise you to implement this from the start and check the effectiveness guidelines, by making use of the blue link. 
                   

                  • Choose  Yes  if you agree with the Effectiveness Check – Control Questions. Make sure you have added evidence and choose status Finalised’ . 
                  • Choose  No  if you think it’s time to change the control . In this case you’ll need to add a remark (will pop-up automatically) and choose the status  Ready for Evaluation . Make sure it will be on the agenda for your next security meeting. You can add a comment in section Operations – Security Meeting.  

                  Documents / Links

                  Evidence can be uploaded via a document or add a link.  
                   

                  TIP : If you just want to add a control and will finalize it later, make sure your  Start Month  is  far in the future . O therwise Compleye Online will plan executions when you may not be ready.  

                  Add new control

                  FieldNameDescriptionExample
                  Control namefree text field – write what is the control forDatabase restore test
                  Ownerselect from drop down list who is responsible for executing / performing the control{ name }
                  Start monthselect the date when control will need to be performed for the first time { date from now till +3 months }
                  frequencyselect from the drop down list frequency at which control needs to be performed. Make sure you check mandatory frequencies for mandatory controls by ISO 27001 once a year
                  control typesSelect from the drop down list type of the control – this is functionality for when you are adopting more than one standard, so you can distinguish controls between standards for your own overview. If security ISO 27001 is the only one at the moment, select ISO 27001 security ISO27001 security
                  Procedure/Criteriafree text field – Describe how you will perform the check. the CTO will perform a database restore test 
                  Definition of evidencefree text field – explain what are you enclosing as the evidence of control being performed – refer to section above we will need screenshots of the performed activities, with visible dates and person who performed the control.
                  documents + upload – here you upload any supporting templating, procedure, document that is relevant to performing the control  
                  Remarksfree text field – leave a note, extra info, or a follow up  

                  Execute the control

                  FieldNameDescriptionExample
                  Control IntervalThat is pre-set [combination of set frequency and starting months]Feb 01, 2022 – Mar 31, 2022
                  Assigned to select from drop down list who is assigned to execute the control. The Owner can assign the execution to someone else besides himself{ name }
                  Status

                  select from drop down list – open/ ready for evaluation/ finalized/ skipped. “Open” is set as default, you need to change it manually when the control is executed. Refer to “how” section of this wiki page for more clarification on status

                  Open
                  Executed byselect from drop down list who executed the control. The person assigned can assign someone else – eg holidays or other reasons{ name }
                  Execution proof  
                  Has the effectiveness of the control been verified?

                  This part is not mandatory for ISO27001 – however will be for other Standards (eg ISAE/SOC 2). However it is an easy step to take to keep your ISMS lean – because if you are performing controls that are not efficient, effective, always on time etc. we should change that. 

                  Read the effectiveness guidelines.

                  Choose Yes if you agree with the Effectiveness Check – Control Questions. Make sure you added the evidence and selected status Finalized .   

                  Choose No is you think it is time to change something. In this case you will need to add a remark (will pop-up automatically) and choose the status Ready for Evaluation   

                   
                  Documents / Links

                  It is mandatory to upload evidence – If you cannot prove it, it did not happen.  

                  upload the pdf of database restore test run with the date and result
                  Was this article helpful?
                  0 out of 5 stars
                  5 Stars 0%
                  4 Stars 0%
                  3 Stars 0%
                  2 Stars 0%
                  1 Stars 0%
                  How can we improve this article?
                  Please submit the reason for your vote so that we can improve the article.