Introduction
In this article we lay bare ISO 27001 Clause 6.1.1 Planning General.
Using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I am going to show you what’s new, give you templates, show you examples and do a walkthrough.
In this ISO 27001 certification guide I show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001:2022 Clause 6.1.1
Table of contents
- Introduction
- What is ISO 27001:2022 Clause 6.1.1 Planning General?
- What are the ISO 27001:2022 Changes to Clause 6.1.1?
- What is the requirement of ISO 27001 Clause 6.1.1?
- ISO 27001 Clause 6.1.1 Definition
- ISO 27001 Clause 6.1.1 Implementation Guide
- How to comply with ISO 27001:2022 Clause 6.1.1 Planning
- Reference
What is ISO 27001:2022 Clause 6.1.1 Planning General?
ISO 27001 Clause 6.1.1 comes under ISO 27001 Clause 6 and relates directly to planning. It is a relatively easy clause to satisfy with ISO 27001 templates. To implement ISO 27001 and go for ISO 27001 certification means that you must satisfy this requirement.
What are the ISO 27001:2022 Changes to Clause 6.1.1?
Brace yourself. The massive update was to remove the word ‘and’ from 6.1.1 b.
What is the requirement of ISO 27001 Clause 6.1.1?
This clause is about planning and you have to demonstrate a couple of things.
You will demonstrate, show and evidence that when you planned your information security management system that you took into account the issues in ISO 27001 Clause 4.1 Understanding the organisation and its context and the requirements that you identified in ISO 27001 Clause 4.2 Understanding the needs and expectations of interested parties.
In addition you are going to work out the risks and opportunities that will address the following points
- that your information security management system can achieve its intended outcome(s)
- that you can prevent, or reduce, undesired effects
- that we can achieve continual improvement
You are going to plan, document and evidence
- actions to address these risks and opportunities
- how to integrate and implement these actions into your information security management system processes
- how to evaluate the effectiveness of these actions
ISO 27001 Clause 6.1.1 Definition
The ISO 27001 Standard defines clause 6.1.1 as:
When planning for the information security management system, the organisation shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
a) ensure the information security management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects
c) achieve continual improvement.
The organisation shall plan:
d) actions to address these risks and opportunities; and
e) how to
1) integrate and implement these actions into its information security management system processes; and
2) evaluate the effectiveness of these actions.
ISO 27001:2022 Clause 6.1.1 Planning General
ISO 27001 Clause 6.1.1 Implementation Guide
There are a number of ways to meet the requirements of the ISO 27001 clause when going for ISO 27001 certification but an effective fast track is the use of ISO 27001 templates. The following ISO 27001 templates documents will meet the demands of ISO 27001 clause 6.1.1.
- Document: Risk Management Policy describes the risk management process.
- Document: ISMS Risk Register captures, manages and reports risks. These are reported to and overseen by the Management Review Team.
- Risk Management is part of the continual improvement policy and process, document: IS 15 Continual Improvement Policy
- Continual improvement is managed, tracked and reported using document: Incident and Corrective Action Log
How to comply with ISO 27001:2022 Clause 6.1.1 Planning
Time needed: 1 day.
How to comply with ISO 27001 Clause 6.1.1 Planning
- Build your information security management system (ISMS)
Using the ISO 27001 Toolkit to fast track your implementation, build your information security management system following the step by step guides and videos.
- Implement your risk management policy
Implement the risk management policy that sets out what you do for risk management and what your risk appetite is.
- Implement your risk management process
Implement your risk management process that shows how you manage risk, how you identify risk, how you asses risk, how you accept risk and the different levels of risk acceptance.
- Manage your risk via a risk register
Implement a risk register that allows you to fully manage, record and report on risk including residual risk.
- Effectively and regularly report to the Management Review Team
Ensure that you report to the Management Review at least once a quarter and follow the structured management team meeting agenda as dictated by the ISO 27001 standard.
ISO 27001:2022 Certification Requirements
What’s new, ISO 27001 templates, examples and walkthrough for each ISO 27001:2022 Annex A Clause.
- ISO 27001:2022 Clause 4.1 Understanding The Organisation And Its Context
- ISO 27001:2022 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
- ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System
- ISO 27001:2022 Clause 4.4 Information Security Management System (ISMS)
- ISO 27001:2022 Clause 5.1 Leadership And Commitment
- ISO 27001:2022 Clause 5.2 Information Security Policy
- ISO 27001:2022 Clause 5.3 Organisational Roles, Responsibilities And Authorities
- ISO 27001:2022 Clause 6 Planning
- ISO 27001:2022 Clause 6.1.1 Planning General
- ISO 27001:2022 Clause 6.1.2 Information Security Risk Assessment
- ISO 27001:2022 Clause 6.1.3 Information Security Risk Treatment
- ISO 27001:2022 Clause 6.2 Information Security Objectives And Planning To Achieve Them
- ISO 27001:2022 Clause 7.1 Resources
- ISO 27001:2022 Clause 7.2 Competence
- ISO 27001:2022 Clause 7.3 Awareness
- ISO 27001:2022 Clause 7.4 Communication
- ISO 27001:2022 Clause 7.5.1 Documented Information
- ISO 27001:2022 Clause 7.5.2 Creating And Updating Documented Information
- ISO 27001:2022 Clause 7.5.3 Control Of Documented Information
- ISO 27001:2022 Clause 8.1 Operational Planning And Control
- ISO 27001:2022 Clause 8.2 Information Security Risk Assessment
- ISO 27001:2022 Clause 8.3 Information Security Risk Treatment
- ISO 27001:2022 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation
- ISO 27001:2022 Clause 9.2 Internal Audit
- ISO 27001:2022 Clause 9.3 Management Reviews
- ISO 27001:2022 Clause 10.1 Continual Improvement
- ISO 27001:2022 Clause 10.2 Non Conformity and Corrective Action