Home / ISO 27001 Clauses / ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.1 Planning General Certification Guide

Table of contents

What is ISO 27001 Clause 6.1.1?
How to implement ISO 27001 clause 6.1.1
ISO 27001 Clause 6.1.1 Implementation Checklist
ISO 27001 Clause 6.1.1 Audit Checklist
How to comply with ISO 27001 Clause 6.1.1 Planning
Watch the Video

What is ISO 27001 Clause 6.1.1?

ISO 27001 Clause 6.1.1 comes under ISO 27001 Clause 6 and relates directly to planning. It is a relatively easy clause to satisfy with ISO 27001 templates. To implement ISO 27001 and go for ISO 27001 certification means that you must satisfy this requirement.

What are the ISO 27001:2022 Changes to Clause 6.1.1?

Brace yourself. The massive update was to remove the word ‘and’ from 6.1.1 b.

Requirement

This clause is about planning and you have to demonstrate a couple of things.

You will demonstrate, show and evidence that when you planned your information security management system that you took into account the issues in ISO 27001 Clause 4.1 Understanding the organisation and its context and the requirements that you identified in ISO 27001 Clause 4.2 Understanding the needs and expectations of interested parties.

In addition you are going to work out the risks and opportunities that will address the following points

that your information security management system can achieve its intended outcome(s)
that you can prevent, or reduce, undesired effects
that we can achieve continual improvement

You are going to plan, document and evidence

actions to address these risks and opportunities
how to integrate and implement these actions into your information security management system processes
how to evaluate the effectiveness of these actions

Definition

ISO 27001 defines ISO 27001 clause 6.1.1 as:

When planning for the information security management system, the organisation shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

a) ensure the information security management system can achieve its intended outcome(s);

b) prevent, or reduce, undesired effects

c) achieve continual improvement.

The organisation shall plan:

d) actions to address these risks and opportunities; and

e) how to

1) integrate and implement these actions into its information security management system processes; and

2) evaluate the effectiveness of these actions.
ISO 27001:2022 Clause 6.1.1 Planning General

How to implement ISO 27001 clause 6.1.1

There are a number of ways to meet the requirements of the ISO 27001 clause when going for ISO 27001 certification but an effective fast track is the use of ISO 27001 templates. The following ISO 27001 templates documents will meet the demands of ISO 27001 clause 6.1.1.

Implement Risk Management Policy

You will implement a Risk Management Policy that sets out your approach to risk management.

ISO 27001 Risk Management Policy Template

Implement Risk Process

You will implement your Risk Management Process that sets out how you manage risk.

ISO 27001 Risk Management Procedure Template

Implement Risk Register

You will implement the Risk Register to capture, manages and reports risks. These are reported to and overseen by the Management Review Team.

ISO 27001 Risk Register Template

Implement Continual Improvement Policy

Risk Management is part of the continual improvement and you will implement your Continual Improvement Policy

ISO 27001 Continual Improvement Policy-Black

ISO 27001 Clause 6.1.1 Implementation Checklist

Planning General ISO 27001 Clause 6.1.1 Implementation Checklist:

1. Identify Information Security Risks

Determine potential threats and vulnerabilities that could impact the confidentiality, integrity, and availability of information.

Challenge: Difficulty in comprehensively identifying all potential risks, especially emerging ones. Lack of expertise in risk assessment methodologies.

Solution: Utilise a structured risk assessment methodology (e.g., ISO 31000), involve diverse interested parties (IT, legal, business units), and conduct regular threat intelligence reviews. Consider using automated risk assessment tools.

2. Identify Information Security Opportunities

Explore potential improvements to the ISMS, such as new technologies, process enhancements, or training programs.

Challenge: Overlooking opportunities due to a focus on risks. Difficulty in quantifying the benefits of opportunities.

Solution: Actively seek opportunities through brainstorming sessions, industry research, and feedback from employees and customers. Develop clear criteria for evaluating the potential value of opportunities.

3. Analyse Risks

Evaluate the likelihood and impact of identified risks to prioritise them.

Challenge: Subjectivity in risk assessment. Lack of reliable data for estimating likelihood and impact.

Solution: Use a consistent risk assessment scale and criteria. Gather historical data and expert opinions to support estimations. Document the rationale behind risk ratings.

4. Analyse Opportunities

Assess the potential benefits and feasibility of identified opportunities.

Challenge: Difficulty in comparing opportunities with different types of benefits (e.g., cost savings vs. improved security).

Solution: Develop a framework for evaluating opportunities based on factors like cost, effort, impact on security, and alignment with business objectives.

5. Determine Risk Treatment Options

Select appropriate actions to mitigate or manage risks, such as avoidance, transfer, mitigation, or acceptance.

Challenge: Choosing the most cost-effective and appropriate treatment option. Difficulty in implementing complex mitigation measures.

Solution: Conduct a cost-benefit analysis for each treatment option. Prioritise treatments based on risk level and feasibility. Develop detailed implementation plans for chosen treatments.

6. Determine Opportunity Implementation Plans

Define how identified opportunities will be realised, including resources, timelines, and responsibilities.

Challenge: Difficulty in securing resources for implementing opportunities. Lack of clear ownership and accountability.

Solution: Develop a project plan for each opportunity, including clear objectives, tasks, timelines, and resource allocation. Assign responsibilities and establish clear communication channels.

7. Establish Objectives for Risk Treatment and Opportunity Implementation

Define specific, measurable, achievable, relevant, and time-bound (SMART) objectives for risk reduction and opportunity realisation.

Challenge: Setting unrealistic or unmeasurable objectives. Difficulty in tracking progress towards objectives.

Solution: Involve interested parties in setting objectives. Define clear metrics for measuring progress. Regularly monitor and report on progress.

8. Develop a Risk Treatment Plan

Document the chosen risk treatment options, implementation details, responsible parties, and timelines.

Challenge: Difficulty in maintaining and updating the risk treatment plan. Lack of integration with other ISMS processes.

Solution: Use a centralised risk register or management system to document and track risk treatments. Regularly review and update the plan as needed. Integrate the plan with other ISMS processes, such as incident management and change management.

9. Develop an Opportunity Implementation Plan

Document the chosen opportunities, implementation details, responsible parties, and timelines.

Challenge: Similar to risk treatment plans, keeping the opportunity implementation plan up-to-date and integrated can be challenging.

Solution: Mirror the solutions for risk treatment plans: use centralised systems, regular reviews, and integration with other ISMS processes.

10. Communicate

Communicate risk and opportunity information to relevant interested parties and seek their input.

Challenge: Difficulty in communicating complex technical information to non-technical audiences. Lack of interested parties engagement.

Solution: Tailor communication to the audience. Use visual aids and plain language. Actively solicit feedback and involve interested parties in decision-making. Establish regular communication channels.

ISO 27001 Clause 6.1.1 Audit Checklist

How to audit ISO 27001 Clause 6.1.1 Planning General:

1. Review the Risk Assessment Methodology

Verify the existence and appropriateness of a documented risk assessment methodology.

Document review (policies, procedures)
interviews with risk management personnel
comparison against ISO 31000 principles
observation of a risk assessment in progress

2. Examine Risk Registers and Documentation

Inspect the risk register for completeness, accuracy, and evidence of risk analysis (likelihood and impact).

Document review (risk register, risk assessment reports)
data analysis (trends in risk levels)
sampling of risk entries for detailed review
interviews with risk owners

3. Evaluate the Identification of Opportunities

Confirm the process for identifying opportunities for ISMS improvement.

Interviews with management and staff
analysis of improvement logs and project proposals
review of strategic planning documents

4. Assess the Risk Treatment Process

Verify the defined process for selecting and implementing risk treatment options.

Document review (policies, procedures)
interviews with risk management personnel
review of risk treatment decisions and their rationale
walkthrough of a risk treatment selection process

5. Evaluate Opportunity Implementation Plans

Review plans for implementing identified opportunities.

Document review (project plans, implementation schedules)
interviews with project managers
review of resource allocation documentation
observation of opportunity implementation activities

6. Verify the Establishment of Objectives

Confirm the existence of SMART objectives for risk treatment and opportunity implementation.

Document review (ISMS objectives, risk treatment plans)
interviews with management
analysis of performance metrics and reports
review of strategic plans

7. Examine Risk Treatment and Opportunity Implementation Plans

Inspect documented plans for details on chosen options, implementation steps, responsibilities, and timelines.

Document review (risk treatment plans, project plans)
walkthrough of an implementation plan
interviews with responsible parties
review of change management records

8. Review Evidence of Implementation

Gather evidence of implemented risk treatments and opportunity implementation plans.

Document review (policies, procedures, training records, system configurations, test results)
observation of processes
interviews with staff
penetration testing (for technical controls)

9. Evaluate Communication and Consultation

Check processes for communicating risk and opportunity information to stakeholders.

Interviews with stakeholders
review of communication logs and meeting minutes
analysis of communication effectiveness surveys
review of stakeholder feedback mechanisms

10. Assess the Effectiveness of Actions

Evaluate the effectiveness of implemented actions in achieving objectives.

Analysis of performance data (e.g., incident rates, vulnerability scan results)
review of management review outputs
interviews with management and staff
benchmarking against industry best practices

How to comply with ISO 27001 Clause 6.1.1 Planning

Time needed: 1 day

How to comply with ISO 27001 Clause 6.1.1 Planning

Build your information security management system (ISMS)
Using the ISO 27001 Toolkit to fast track your implementation, build your information security management system following the step by step guides and videos.
Implement your risk management policy
Implement the risk management policy that sets out what you do for risk management and what your risk appetite is.
Implement your risk management process
Implement your risk management process that shows how you manage risk, how you identify risk, how you asses risk, how you accept risk and the different levels of risk acceptance.
Manage your risk via a risk register
Implement a risk register that allows you to fully manage, record and report on risk including residual risk.
Effectively and regularly report to the Management Review Team
Ensure that you report to the Management Review at least once a quarter and follow the structured management team meeting agenda as dictated by the ISO 27001 standard.

Watch the Video

For a complete visual guide to this process, check out our video tutorial: How to implement ISO 27001 Clause 6.1.1

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Performance

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Advertisement

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.