The organisation is now in the implementation stage. The purpose of this section is to plan, implement and control processes needed to meet requirements. Your organisation must implement the actions determined in clause 6 by establishing criteria for the processes and implementing control of the processes in accordance with the criteria.
The organisation must keep documented evidence in the form of records to have confidence that the process was implemented according to the plans to satisfy the ISMS objectives.
The organisation must monitor planned changes in the ISMS as well as understanding the impact of unplanned changes so that their adverse effects can be contained if necessary. While implementing the plans within the organisation, the organisation must ensure that externally provided
processes, products or services that are relevant to the information security management system are controlled.