Table of contents
What is ISO 27001 Clause 6.1.1?
ISO 27001 Clause 6.1.1 comes under ISO 27001 Clause 6 and relates directly to planning. It is a relatively easy clause to satisfy with ISO 27001 templates. To implement ISO 27001 and go for ISO 27001 certification means that you must satisfy this requirement.
What are the ISO 27001:2022 Changes to Clause 6.1.1?
Brace yourself. The massive update was to remove the word ‘and’ from 6.1.1 b.
Requirement
This clause is about planning and you have to demonstrate a couple of things.
You will demonstrate, show and evidence that when you planned your information security management system that you took into account the issues in ISO 27001 Clause 4.1 Understanding the organisation and its context and the requirements that you identified in ISO 27001 Clause 4.2 Understanding the needs and expectations of interested parties.
In addition you are going to work out the risks and opportunities that will address the following points
- that your information security management system can achieve its intended outcome(s)
- that you can prevent, or reduce, undesired effects
- that we can achieve continual improvement
You are going to plan, document and evidence
- actions to address these risks and opportunities
- how to integrate and implement these actions into your information security management system processes
- how to evaluate the effectiveness of these actions
Definition
ISO 27001 defines ISO 27001 clause 6.1.1 as:
When planning for the information security management system, the organisation shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
a) ensure the information security management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects
c) achieve continual improvement.
The organisation shall plan:
d) actions to address these risks and opportunities; and
e) how to
1) integrate and implement these actions into its information security management system processes; and
2) evaluate the effectiveness of these actions.
ISO 27001:2022 Clause 6.1.1 Planning General
How to implement ISO 27001 clause 6.1.1
There are a number of ways to meet the requirements of the ISO 27001 clause when going for ISO 27001 certification but an effective fast track is the use of ISO 27001 templates. The following ISO 27001 templates documents will meet the demands of ISO 27001 clause 6.1.1.
Implement Risk Management Policy
You will implement a Risk Management Policy that sets out your approach to risk management.
Implement Risk Process
You will implement your Risk Management Process that sets out how you manage risk.
Implement Risk Register
You will implement the Risk Register to capture, manages and reports risks. These are reported to and overseen by the Management Review Team.
Implement Continual Improvement Policy
Risk Management is part of the continual improvement and you will implement your Continual Improvement Policy
ISO 27001 Clause 6.1.1 Implementation Checklist
Planning General ISO 27001 Clause 6.1.1 Implementation Checklist:
1. Identify Information Security Risks
Determine potential threats and vulnerabilities that could impact the confidentiality, integrity, and availability of information.
Challenge: Difficulty in comprehensively identifying all potential risks, especially emerging ones. Lack of expertise in risk assessment methodologies.
Solution: Utilise a structured risk assessment methodology (e.g., ISO 31000), involve diverse interested parties (IT, legal, business units), and conduct regular threat intelligence reviews. Consider using automated risk assessment tools.
2. Identify Information Security Opportunities
Explore potential improvements to the ISMS, such as new technologies, process enhancements, or training programs.
Challenge: Overlooking opportunities due to a focus on risks. Difficulty in quantifying the benefits of opportunities.
Solution: Actively seek opportunities through brainstorming sessions, industry research, and feedback from employees and customers. Develop clear criteria for evaluating the potential value of opportunities.
3. Analyse Risks
Evaluate the likelihood and impact of identified risks to prioritise them.
Challenge: Subjectivity in risk assessment. Lack of reliable data for estimating likelihood and impact.
Solution: Use a consistent risk assessment scale and criteria. Gather historical data and expert opinions to support estimations. Document the rationale behind risk ratings.
4. Analyse Opportunities
Assess the potential benefits and feasibility of identified opportunities.
Challenge: Difficulty in comparing opportunities with different types of benefits (e.g., cost savings vs. improved security).
Solution: Develop a framework for evaluating opportunities based on factors like cost, effort, impact on security, and alignment with business objectives.
5. Determine Risk Treatment Options
Select appropriate actions to mitigate or manage risks, such as avoidance, transfer, mitigation, or acceptance.
Challenge: Choosing the most cost-effective and appropriate treatment option. Difficulty in implementing complex mitigation measures.
Solution: Conduct a cost-benefit analysis for each treatment option. Prioritise treatments based on risk level and feasibility. Develop detailed implementation plans for chosen treatments.
6. Determine Opportunity Implementation Plans
Define how identified opportunities will be realised, including resources, timelines, and responsibilities.
Challenge: Difficulty in securing resources for implementing opportunities. Lack of clear ownership and accountability.
Solution: Develop a project plan for each opportunity, including clear objectives, tasks, timelines, and resource allocation. Assign responsibilities and establish clear communication channels.
7. Establish Objectives for Risk Treatment and Opportunity Implementation
Define specific, measurable, achievable, relevant, and time-bound (SMART) objectives for risk reduction and opportunity realisation.
Challenge: Setting unrealistic or unmeasurable objectives. Difficulty in tracking progress towards objectives.
Solution: Involve interested parties in setting objectives. Define clear metrics for measuring progress. Regularly monitor and report on progress.
8. Develop a Risk Treatment Plan
Document the chosen risk treatment options, implementation details, responsible parties, and timelines.
Challenge: Difficulty in maintaining and updating the risk treatment plan. Lack of integration with other ISMS processes.
Solution: Use a centralised risk register or management system to document and track risk treatments. Regularly review and update the plan as needed. Integrate the plan with other ISMS processes, such as incident management and change management.
9. Develop an Opportunity Implementation Plan
Document the chosen opportunities, implementation details, responsible parties, and timelines.
Challenge: Similar to risk treatment plans, keeping the opportunity implementation plan up-to-date and integrated can be challenging.
Solution: Mirror the solutions for risk treatment plans: use centralised systems, regular reviews, and integration with other ISMS processes.
10. Communicate
Communicate risk and opportunity information to relevant interested parties and seek their input.
Challenge: Difficulty in communicating complex technical information to non-technical audiences. Lack of interested parties engagement.
Solution: Tailor communication to the audience. Use visual aids and plain language. Actively solicit feedback and involve interested parties in decision-making. Establish regular communication channels.
ISO 27001 Clause 6.1.1 Audit Checklist
How to audit ISO 27001 Clause 6.1.1 Planning General:
1. Review the Risk Assessment Methodology
Verify the existence and appropriateness of a documented risk assessment methodology.
- Document review (policies, procedures)
- interviews with risk management personnel
- comparison against ISO 31000 principles
- observation of a risk assessment in progress
2. Examine Risk Registers and Documentation
Inspect the risk register for completeness, accuracy, and evidence of risk analysis (likelihood and impact).
- Document review (risk register, risk assessment reports)
- data analysis (trends in risk levels)
- sampling of risk entries for detailed review
- interviews with risk owners
3. Evaluate the Identification of Opportunities
Confirm the process for identifying opportunities for ISMS improvement.
- Interviews with management and staff
- analysis of improvement logs and project proposals
- review of strategic planning documents
4. Assess the Risk Treatment Process
Verify the defined process for selecting and implementing risk treatment options.
- Document review (policies, procedures)
- interviews with risk management personnel
- review of risk treatment decisions and their rationale
- walkthrough of a risk treatment selection process
5. Evaluate Opportunity Implementation Plans
Review plans for implementing identified opportunities.
- Document review (project plans, implementation schedules)
- interviews with project managers
- review of resource allocation documentation
- observation of opportunity implementation activities
6. Verify the Establishment of Objectives
Confirm the existence of SMART objectives for risk treatment and opportunity implementation.
- Document review (ISMS objectives, risk treatment plans)
- interviews with management
- analysis of performance metrics and reports
- review of strategic plans
7. Examine Risk Treatment and Opportunity Implementation Plans
Inspect documented plans for details on chosen options, implementation steps, responsibilities, and timelines.
- Document review (risk treatment plans, project plans)
- walkthrough of an implementation plan
- interviews with responsible parties
- review of change management records
8. Review Evidence of Implementation
Gather evidence of implemented risk treatments and opportunity implementation plans.
- Document review (policies, procedures, training records, system configurations, test results)
- observation of processes
- interviews with staff
- penetration testing (for technical controls)
9. Evaluate Communication and Consultation
Check processes for communicating risk and opportunity information to stakeholders.
- Interviews with stakeholders
- review of communication logs and meeting minutes
- analysis of communication effectiveness surveys
- review of stakeholder feedback mechanisms
10. Assess the Effectiveness of Actions
Evaluate the effectiveness of implemented actions in achieving objectives.
- Analysis of performance data (e.g., incident rates, vulnerability scan results)
- review of management review outputs
- interviews with management and staff
- benchmarking against industry best practices
How to comply with ISO 27001 Clause 6.1.1 Planning
Time needed: 1 day
How to comply with ISO 27001 Clause 6.1.1 Planning
- Build your information security management system (ISMS)
Using the ISO 27001 Toolkit to fast track your implementation, build your information security management system following the step by step guides and videos.
- Implement your risk management policy
Implement the risk management policy that sets out what you do for risk management and what your risk appetite is.
- Implement your risk management process
Implement your risk management process that shows how you manage risk, how you identify risk, how you asses risk, how you accept risk and the different levels of risk acceptance.
- Manage your risk via a risk register
Implement a risk register that allows you to fully manage, record and report on risk including residual risk.
- Effectively and regularly report to the Management Review Team
Ensure that you report to the Management Review at least once a quarter and follow the structured management team meeting agenda as dictated by the ISO 27001 standard.
Watch the Video
For a complete visual guide to this process, check out our video tutorial: How to implement ISO 27001 Clause 6.1.1