ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Planning General

This ISO 27001 Clause is about planning. In particular it has some requirements around general planning. As one of the ISO 27001 controls what it is really asking you is to plan to achieve the objectives, continually improve, and reduce undesired effects.

You will learn what ISO clause 6.1.1 is, how to simply and easily implement it for ISO 27001 certification and I will show you some common gotchas so you can avoid them.

What is ISO 27001 Clause 6.1.1 Planning General?

ISO 27001 Clause 6.1.1 comes under ISO 27001 Clause 6 and relates directly to planning. It is a relatively easy clause to satisfy with ISO 27001 templates. To implement ISO 27001 and go for ISO 27001 certification means that you must satisfy this requirement.

What are the ISO 27001:2022 Changes to Clause 6.1.1?

Brace yourself. The massive update was to remove the word ‘and’ from 6.1.1 b.

ISO 27001 Clause 6.1.1 Requirement

This clause is about planning and you have to demonstrate a couple of things.

You will demonstrate, show and evidence that when you planned your information security management system that you took into account the issues in ISO 27001 Clause 4.1 Understanding the organisation and its context and the requirements that you identified in ISO 27001 Clause 4.2 Understanding the needs and expectations of interested parties.

In addition you are going to work out the risks and opportunities that will address the following points

• that your information security management system can achieve its intended outcome(s)
• that you can prevent, or reduce, undesired effects
• that we can achieve continual improvement

You are going to plan, document and evidence

• actions to address these risks and opportunities
• how to integrate and implement these actions into your information security management system processes
• how to evaluate the effectiveness of these actions

ISO 27001 Clause 6.1.1 Definition

The ISO 27001 Standard defines clause 6.1.1 as:

When planning for the information security management system, the organisation shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

a) ensure the information security management system can achieve its intended outcome(s);

b) prevent, or reduce, undesired effects

c) achieve continual improvement.

The organisation shall plan:

d) actions to address these risks and opportunities; and

e) how to

1) integrate and implement these actions into its information security management system processes; and

2) evaluate the effectiveness of these actions.

ISO 27001:2022 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.1 Implementation Guide

There are a number of ways to meet the requirements of the ISO 27001 clause when going for ISO 27001 certification but an effective fast track is the use of ISO 27001 templates. The following ISO 27001 templates documents will meet the demands of ISO 27001 clause 6.1.1.

Implement Risk Management Policy

You will implement a Risk Management Policy that sets out your approach to risk management.

Implement Risk Process

You will implement your Risk Management Process that sets out how you manage risk.

Implement Risk Register

You will implement the Risk Register to capture, manages and reports risks. These are reported to and overseen by the Management Review Team. 

Implement Continual Improvement Policy

Risk Management is part of the continual improvement and you will implement your Continual Improvement Policy

How to comply with ISO 27001 Clause 6.1.1 Planning