ISO 27001 Clause 6.1.1 is a security control that mandates organizations to determine risks and opportunities derived from their organizational context. It bridges the gap between understanding business needs and operational risk assessment. Its primary implementation requirement is to plan actions to address these risks, while the business benefit is ensuring the ISMS achieves its intended outcomes and continual improvement.
In this guide, I will show you exactly how to implement ISO 27001 Clause 6.1.1 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Table of contents
- What is ISO 27001 Clause 6.1.1?
- ISO 27001 Clause 6.1.1 Implementation Guidance
- How to implement ISO 27001 Clause 6.1.1
- Watch the ISO 27001 Clause 6.1.1 Tutorial Video
- Applicability of ISO 27001 Clause 6.1.1 across different business models.
- ISO 27001 Clause 6.1.1 Implementation Checklist
- Fast track ISO 27001 Clause 6.1.1 compliance with the ISO 27001 Toolkit
- ISO 27001 Clause 6.1.1 Audit Checklist
- Examples of Information Security Opportunities in Clause 6.1.1
- What an auditor wants to see for ISO 27001: Clause 6.1.1
- How to comply with ISO 27001 Clause 6.1.1 Planning
- ISO 27001 Clause 6.1.1 Common Mistakes and How to Avoid Them
- Ambiguity Resolution: Clause 6.1.1 vs. 6.1.2
- Risks to the ISMS vs. Information Security Risks
- ISO 27001 Clause 6.1.1 FAQ
What is ISO 27001 Clause 6.1.1?
ISO 27001 Clause 6.1.1 comes under ISO 27001 Clause 6 and relates directly to planning. It is a relatively easy clause to satisfy with ISO 27001 templates. To implement ISO 27001 and go for ISO 27001 certification means that you must satisfy this requirement.
What are the ISO 27001:2022 Changes to Clause 6.1.1?
Brace yourself. The massive update was to remove the word ‘and’ from 6.1.1 b.
Requirement
This clause is about planning and you have to demonstrate a couple of things.
You will demonstrate, show and evidence that when you planned your information security management system that you took into account the issues in ISO 27001 Clause 4.1 Understanding the organisation and its context and the requirements that you identified in ISO 27001 Clause 4.2 Understanding the needs and expectations of interested parties.
In addition you are going to work out the risks and opportunities that will address the following points
- that your information security management system can achieve its intended outcome(s)
- that you can prevent, or reduce, undesired effects
- that we can achieve continual improvement
You are going to plan, document and evidence
- actions to address these risks and opportunities
- how to integrate and implement these actions into your information security management system processes
- how to evaluate the effectiveness of these actions
Definition
ISO 27001 defines ISO 27001 clause 6.1.1 as:
When planning for the information security management system, the organisation shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
a) ensure the information security management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects
c) achieve continual improvement.
The organisation shall plan:
d) actions to address these risks and opportunities; and
e) how to
1) integrate and implement these actions into its information security management system processes; and
2) evaluate the effectiveness of these actions.
ISO 27001:2022 Clause 6.1.1 Planning General
Stop Guessing. Start Passing.
AI-generated policies are generic and fail audits. Our Lead-Auditor templates have a 100% success rate. Don’t risk your certification on a prompt
ISO 27001 Clause 6.1.1 Implementation Guidance
There are a number of ways to meet the requirements of the ISO 27001 clause when going for ISO 27001 certification but an effective fast track is the use of ISO 27001 templates. The following ISO 27001 templates documents will meet the demands of ISO 27001 clause 6.1.1.
Implement Risk Management Policy
You will implement a Risk Management Policy that sets out your approach to risk management.
Implement Risk Process
You will implement your Risk Management Process that sets out how you manage risk.
Implement Risk Register
You will implement the Risk Register to capture, manages and reports risks. These are reported to and overseen by the Management Review Team.
Implement Continual Improvement Policy
Risk Management is part of the continual improvement and you will implement your Continual Improvement Policy
How to implement ISO 27001 Clause 6.1.1
Implementing ISO 27001 Clause 6.1.1 is the foundational step where you link your organisational context to your risk management strategy. It requires you to plan actions that address the risks and opportunities associated with the issues identified in Clause 4.1 and the requirements in Clause 4.2. Follow this guide to ensure your planning phase effectively sets the stage for a robust Information Security Management System (ISMS).
Step 1: Analyse Organisational Context
Action: Review your internal and external issues (Clause 4.1) and the needs of interested parties (Clause 4.2) to determine the scope of your planning. Result: You establish a verified baseline of “Issues” and “Requirements” that ensures your ISMS planning is aligned with actual business goals rather than generic security assumptions.
- Consult your “Context of Organisation” document to identify strategic threats (e.g., market competition, cyber regulations).
- List the binding requirements from stakeholders (e.g., client SLAs, GDPR compliance).
Step 2: Determine Risks and Opportunities
Action: Identify specific risks that could prevent the ISMS from achieving its intended outcomes and opportunities that could enhance them. Result: You create a definitive list of items that require action, preventing the common audit failure of having a disconnect between business context and risk treatment.
- Differentiate between “Risks” (potential negative impacts) and “Opportunities” (potential positive improvements like adopting AI for efficiency).
- Ensure the determination process is documented in your Risk Register or a dedicated Planning Register.
Step 3: Plan Actions to Address Risks
Action: Define specific, assignable actions to mitigate the identified risks or exploit the opportunities. Result: You move from theoretical risk analysis to practical remediation, creating a “Risk Treatment Plan” that auditors can verify against your timeline.
Step 4: Integrate Actions into ISMS Processes
Action: Embed the planned actions directly into your daily operational processes rather than keeping them as a separate to-do list. Result: You achieve “Security by Design” where controls (like Access Control or Supplier Reviews) are triggered automatically by business processes, reducing the administrative burden.
Step 5: Evaluate Effectiveness of Actions
Action: Establish metrics (KPIs) to measure whether the actions taken actually reduced the risk or realised the opportunity. Result: You provide concrete evidence for Management Review (Clause 9.3) demonstrating that the planning process adds value and drives continual improvement.
Watch the ISO 27001 Clause 6.1.1 Tutorial Video
For a complete visual guide to this process, check out our video tutorial: How to implement ISO 27001 Clause 6.1.1
I’ve sat in the Auditor’s chair for 20 years. These are the exact tools I use to guarantee a pass.
Applicability of ISO 27001 Clause 6.1.1 across different business models.
| Business Type | Applicability | Why it is Important | Clause 6.1.1 Planning Examples |
|---|---|---|---|
| Small Businesses | Foundational / Direct | Resources are scarce. Effective planning ensures you only spend money treating risks that actually threaten your specific context (e.g., cash flow, ransomware), avoiding “security theatre.” | Identifying reliance on a single laptop as a critical risk and planning the specific action of migrating files to a secure cloud storage solution (SharePoint/Google Workspace). |
| Tech Startups | Strategic / Agile | Growth is the priority. Clause 6.1.1 ensures security actions are integrated into the product roadmap (DevSecOps) rather than becoming a bottleneck that slows down release cycles. | Identifying the “Opportunity” to close enterprise deals by achieving ISO 27001, and planning the implementation of Automated Static Application Security Testing (SAST) as a mitigation action. |
| AI Companies | Mandatory / High-Stakes | The “Context” involves rapidly evolving regulations (EU AI Act). Planning must address specific AI risks like model poisoning or data leakage to ensure long-term commercial viability. | Determining the risk of “Regulatory Non-Compliance” regarding training data usage and planning the implementation of a specific AI Governance Framework to address it. |
ISO 27001 Clause 6.1.1 Implementation Checklist
Planning General ISO 27001 Clause 6.1.1 Implementation Checklist:
1. Identify Information Security Risks
Determine potential threats and vulnerabilities that could impact the confidentiality, integrity, and availability of information.
Challenge: Difficulty in comprehensively identifying all potential risks, especially emerging ones. Lack of expertise in risk assessment methodologies.
Solution: Utilise a structured risk assessment methodology (e.g., ISO 31000), involve diverse interested parties (IT, legal, business units), and conduct regular threat intelligence reviews. Consider using automated risk assessment tools.
2. Identify Information Security Opportunities
Explore potential improvements to the ISMS, such as new technologies, process enhancements, or training programs.
Challenge: Overlooking opportunities due to a focus on risks. Difficulty in quantifying the benefits of opportunities.
Solution: Actively seek opportunities through brainstorming sessions, industry research, and feedback from employees and customers. Develop clear criteria for evaluating the potential value of opportunities.
3. Analyse Risks
Evaluate the likelihood and impact of identified risks to prioritise them.
Challenge: Subjectivity in risk assessment. Lack of reliable data for estimating likelihood and impact.
Solution: Use a consistent risk assessment scale and criteria. Gather historical data and expert opinions to support estimations. Document the rationale behind risk ratings.
4. Analyse Opportunities
Assess the potential benefits and feasibility of identified opportunities.
Challenge: Difficulty in comparing opportunities with different types of benefits (e.g., cost savings vs. improved security).
Solution: Develop a framework for evaluating opportunities based on factors like cost, effort, impact on security, and alignment with business objectives.
5. Determine Risk Treatment Options
Select appropriate actions to mitigate or manage risks, such as avoidance, transfer, mitigation, or acceptance.
Challenge: Choosing the most cost-effective and appropriate treatment option. Difficulty in implementing complex mitigation measures.
Solution: Conduct a cost-benefit analysis for each treatment option. Prioritise treatments based on risk level and feasibility. Develop detailed implementation plans for chosen treatments.
6. Determine Opportunity Implementation Plans
Define how identified opportunities will be realised, including resources, timelines, and responsibilities.
Challenge: Difficulty in securing resources for implementing opportunities. Lack of clear ownership and accountability.
Solution: Develop a project plan for each opportunity, including clear objectives, tasks, timelines, and resource allocation. Assign responsibilities and establish clear communication channels.
7. Establish Objectives for Risk Treatment and Opportunity Implementation
Define specific, measurable, achievable, relevant, and time-bound (SMART) objectives for risk reduction and opportunity realisation.
Challenge: Setting unrealistic or unmeasurable objectives. Difficulty in tracking progress towards objectives.
Solution: Involve interested parties in setting objectives. Define clear metrics for measuring progress. Regularly monitor and report on progress.
8. Develop a Risk Treatment Plan
Document the chosen risk treatment options, implementation details, responsible parties, and timelines.
Challenge: Difficulty in maintaining and updating the risk treatment plan. Lack of integration with other ISMS processes.
Solution: Use a centralised risk register or management system to document and track risk treatments. Regularly review and update the plan as needed. Integrate the plan with other ISMS processes, such as incident management and change management.
9. Develop an Opportunity Implementation Plan
Document the chosen opportunities, implementation details, responsible parties, and timelines.
Challenge: Similar to risk treatment plans, keeping the opportunity implementation plan up-to-date and integrated can be challenging.
Solution: Mirror the solutions for risk treatment plans: use centralised systems, regular reviews, and integration with other ISMS processes.
10. Communicate
Communicate risk and opportunity information to relevant interested parties and seek their input.
Challenge: Difficulty in communicating complex technical information to non-technical audiences. Lack of interested parties engagement.
Solution: Tailor communication to the audience. Use visual aids and plain language. Actively solicit feedback and involve interested parties in decision-making. Establish regular communication channels.
Fast track ISO 27001 Clause 6.1.1 compliance with the ISO 27001 Toolkit
Toolkit vs. SaaS: Managing Risk Planning
| Feature | High Table ISO 27001 Toolkit | Online SaaS / GRC Platforms |
|---|---|---|
| Ownership | Permanent Risk Data: You own your Risk Register and Planning documents. If you cancel a service, you retain the full history of your risk decisions—essential evidence for future audits. | Rented Intelligence: Your “Risk Treatment Plan” exists only as long as you pay the subscription. If you leave, you lose the digital thread connecting your risks to your controls. |
| Simplicity | Instant Usability: Clause 6.1.1 requires input from various departments. Everyone knows how to update a risk line item in Excel. They do not need training on how to navigate a complex GRC risk module. | Training Overhead: Configuring a SaaS tool to match your specific risk methodology (e.g., 5×5 matrix) often requires consultant support or extensive staff training. |
| Cost | One-Off Investment: Risk Planning is a periodic activity, not a daily one. Why pay a monthly subscription to host a Risk Register that you might only update quarterly? | Ongoing Compliance Tax: You pay a monthly fee to access your planning data. Over a 3-year certification cycle, hosting your Risk Register in the cloud costs significantly more than a toolkit. |
| Freedom | Methodology Agnostic: You can adapt the Excel-based Risk Register to any future standard (e.g., NIST, SOC 2) without restriction. You are not locked into a specific vendor’s calculation logic. | Vendor Lock-In: If the platform changes its risk scoring algorithm or pricing structure, your entire planning framework is trapped, making migration painful and expensive. |
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
ISO 27001 Clause 6.1.1 Audit Checklist
How to audit ISO 27001 Clause 6.1.1 Planning General:
1. Review the Risk Assessment Methodology
Verify the existence and appropriateness of a documented risk assessment methodology.
- Document review (policies, procedures)
- interviews with risk management personnel
- comparison against ISO 31000 principles
- observation of a risk assessment in progress
2. Examine Risk Registers and Documentation
Inspect the risk register for completeness, accuracy, and evidence of risk analysis (likelihood and impact).
- Document review (risk register, risk assessment reports)
- data analysis (trends in risk levels)
- sampling of risk entries for detailed review
- interviews with risk owners
3. Evaluate the Identification of Opportunities
Confirm the process for identifying opportunities for ISMS improvement.
- Interviews with management and staff
- analysis of improvement logs and project proposals
- review of strategic planning documents
4. Assess the Risk Treatment Process
Verify the defined process for selecting and implementing risk treatment options.
- Document review (policies, procedures)
- interviews with risk management personnel
- review of risk treatment decisions and their rationale
- walkthrough of a risk treatment selection process
5. Evaluate Opportunity Implementation Plans
Review plans for implementing identified opportunities.
- Document review (project plans, implementation schedules)
- interviews with project managers
- review of resource allocation documentation
- observation of opportunity implementation activities
6. Verify the Establishment of Objectives
Confirm the existence of SMART objectives for risk treatment and opportunity implementation.
- Document review (ISMS objectives, risk treatment plans)
- interviews with management
- analysis of performance metrics and reports
- review of strategic plans
7. Examine Risk Treatment and Opportunity Implementation Plans
Inspect documented plans for details on chosen options, implementation steps, responsibilities, and timelines.
- Document review (risk treatment plans, project plans)
- walkthrough of an implementation plan
- interviews with responsible parties
- review of change management records
8. Review Evidence of Implementation
Gather evidence of implemented risk treatments and opportunity implementation plans.
- Document review (policies, procedures, training records, system configurations, test results)
- observation of processes
- interviews with staff
- penetration testing (for technical controls)
9. Evaluate Communication and Consultation
Check processes for communicating risk and opportunity information to stakeholders.
- Interviews with stakeholders
- review of communication logs and meeting minutes
- analysis of communication effectiveness surveys
- review of stakeholder feedback mechanisms
10. Assess the Effectiveness of Actions
Evaluate the effectiveness of implemented actions in achieving objectives.
- Analysis of performance data (e.g., incident rates, vulnerability scan results)
- review of management review outputs
- interviews with management and staff
- benchmarking against industry best practices
Examples of Information Security Opportunities in Clause 6.1.1
Examples of Information Security Opportunities in Clause 6.1.1
While ISO 27001 requires you to address risks (threats), Clause 6.1.1 explicitly requires you to identify and plan for opportunities. These are potential enhancements that arise from your security context, areas where improving security also drives business value, efficiency, or competitive advantage. Unlike risks which we mitigate, opportunities are scenarios we want to exploit or realise.
| Opportunity Category | Specific Example | Strategic Business Benefit |
|---|---|---|
| Operational Efficiency | Adopting Single Sign-On (SSO) to centralise authentication. | Improves user experience (UX) by reducing password fatigue and lowers IT helpdesk tickets for password resets. |
| Commercial Growth | Achieving ISO 27001 Certification to satisfy enterprise vendor requirements. | Unlocks entry into new enterprise markets and high-value tenders that demand accredited security assurance. |
| Process Automation | Automating User Offboarding workflows through API integration (e.g., HRIS to Active Directory). | Reduces administrative burden on IT staff and eliminates the “human error” risk of leaving dormant accounts active. |
| Infrastructure Modernisation | Migrating legacy on-premise servers to a Secure Cloud Infrastructure (AWS/Azure). | Enhances availability and scalability while shifting capital expenditure (CapEx) to predictable operational expenditure (OpEx). |
| Supply Chain Optimisation | Consolidating the supply chain to fewer, pre-vetted security partners. | Simplifies vendor management overhead (Clause 5.19) and builds stronger, more resilient partner relationships. |
| Cultural Engagement | Implementing Gamified Security Awareness Training (e.g., phishing simulations with rewards). | Transforms security from a “compliance box-ticking” exercise into a positive, engaging part of organisational culture. |
| Technological Resilience | Deploying AI-driven Threat Detection tools. | Drastically shortens the “Time to Detect” (TTD) and “Time to Respond” (TTR) for security incidents, minimizing potential downtime. |
What an auditor wants to see for ISO 27001: Clause 6.1.1
| Auditor Expectation | Why It Is Required | Evidence / Example Artifacts |
|---|---|---|
| The “Golden Thread” to Context | The auditor needs to see that your planning isn’t random. Every risk or opportunity identified in Clause 6.1.1 must directly relate back to the Internal/External Issues (Clause 4.1) or Interested Party Requirements (Clause 4.2). | A Risk Register that includes a “Source” column referencing specific items from your “Context of Organisation” document (e.g., “Risk #12: Data Loss maps to Issue #4: Reliance on Legacy Servers”). |
| Documented Methodology | You cannot just present a list of risks; you must prove how you calculated them. The auditor wants to see that your approach to determining risks and opportunities is consistent, repeatable, and defined before you started. | A Risk Management Policy/Process document defining your criteria for risk acceptance, your scoring matrix (e.g., 5×5 Likelihood vs Impact), and how you define “Opportunities.” |
| Consideration of “Opportunities” | ISO 27001:2022 emphasizes that not all risks are negative. Auditors explicitly check for planned actions to exploit positive opportunities to improve the ISMS, which is often overlooked. | A Planning Register or specific section in the Risk Register listing positive actions, such as “Adopting SSO to improve user experience and security” or “Achieving ISO 27001 to enter new markets.” |
| Integration into Business Processes | Planning shouldn’t be a once-a-year paper exercise. Auditors want to see that risk planning is triggered by actual business events (e.g., new supplier onboarding, software changes). | Project Management Documentation or Change Request Forms that show a “Risk Assessment” step was mandatory before a new system was deployed. |
How to comply with ISO 27001 Clause 6.1.1 Planning
Time needed: 1 day.
How to comply with ISO 27001 Clause 6.1.1 Planning
- Build your information security management system (ISMS)
Using the ISO 27001 Toolkit to fast track your implementation, build your information security management system following the step by step guides and videos.
- Implement your risk management policy
Implement the risk management policy that sets out what you do for risk management and what your risk appetite is.
- Implement your risk management process
Implement your risk management process that shows how you manage risk, how you identify risk, how you asses risk, how you accept risk and the different levels of risk acceptance.
- Manage your risk via a risk register
Implement a risk register that allows you to fully manage, record and report on risk including residual risk.
- Effectively and regularly report to the Management Review Team
Ensure that you report to the Management Review at least once a quarter and follow the structured management team meeting agenda as dictated by the ISO 27001 standard.
ISO 27001 Clause 6.1.1 Common Mistakes and How to Avoid Them
| Common Mistake | Why It Is a Problem | How to Avoid It |
|---|---|---|
| Ignoring “Opportunities” | Many organisations focus solely on “Risks” (threats). Clause 6.1.1 explicitly requires you to address opportunities (positive risks) that could help the ISMS achieve its outcomes. Ignoring this leads to a minor non-conformity. | Include a specific column in your Risk Register or Planning document for “Opportunities” (e.g., implementing AI to automate logs, moving to a more secure cloud provider) and plan actions to realise them. |
| Disconnect from “Context” (Clause 4.1) | If your planning doesn’t link back to the internal/external issues identified in Clause 4.1, your ISMS operates in a vacuum. Auditors will check if the risks you are treating actually relate to your business goals. | Ensure every risk or opportunity in your planning register can be cross-referenced to a specific item in your “Context of Organisation” document. |
| Treating it as a One-Off Event | Planning is not just for the implementation phase. If you cannot show evidence that you re-evaluated risks and opportunities before significant changes (e.g., new product launch), you fail the “Continual Improvement” requirement. | Schedule a quarterly review of your Clause 6.1.1 planning within your Management Review meetings and document the minutes as evidence of ongoing oversight. |
| Lack of Documented Criteria | Auditors need to see the “working out.” If you have a list of risks but no documented methodology for how you determined them (likelihood vs. impact), you cannot prove the process is repeatable. | Formalise your Risk Management Methodology document before you start planning. Define your risk acceptance criteria clearly (e.g., “We treat all High risks”). |
Ambiguity Resolution: Clause 6.1.1 vs. 6.1.2
Ambiguity Resolution: Clause 6.1.1 vs. 6.1.2
A common point of confusion in ISO 27001 implementation is distinguishing between the high-level planning required in Clause 6.1.1 and the specific risk assessment required in Clause 6.1.2. While they are connected, they serve different functions within the standard.
| Feature | Clause 6.1.1: General Planning | Clause 6.1.2: Information Security Risk Assessment |
|---|---|---|
| Primary Focus | Strategic Strategy: Focuses on the management system (ISMS) as a whole. It ensures the ISMS can achieve its intended outcomes and addresses high-level uncertainty (Context). | Operational Execution: Focuses on specific threats to information assets (Confidentiality, Integrity, Availability). It is the mechanism for calculating risk levels. |
| Input Source | Directly derived from Clause 4.1 (Context) and Clause 4.2 (Interested Parties). | Derived from the Asset Register and specific threat/vulnerability scenarios. |
| Scope of “Risk” | Includes “Risks to the ISMS” (e.g., lack of budget, loss of key staff, regulatory changes). Also includes Opportunities. | Includes “Information Security Risks” (e.g., malware infection, data leakage, laptop theft). Does not typically assess “opportunities.” |
| Output Artifact | Planning Register or Management Review Minutes confirming strategic direction. | Risk Assessment Report (SoA) and a granular Risk Register detailing specific asset risks and scores. |
| Key Question Asked | “What external or internal issues could stop us from running a successful security program?” | “What specific threats could compromise this specific server or database?” |
Risks to the ISMS vs. Information Security Risks
“Risks to the ISMS” vs. “Information Security Risks”
A nuanced technical point that Lead Auditors specifically look for in Clause 6.1.1 is the distinction between strategic risks to the management system itself and operational information security risks. Many organisations fail audits because they only document data breaches.
Key Takeaway: Clause 6.1.1 requires you to identify risks that threaten the success of the implementation (Strategic), whereas Clause 6.1.2 requires you to identify risks that threaten the confidentiality, integrity, or availability of data (Operational).
| Risk Category | Clause Reference | Valid Examples (What Auditors Want to See) |
|---|---|---|
| Risks to the ISMS (Strategic) | Clause 6.1.1 |
|
| Information Security Risks (Operational) | Clause 6.1.2 |
|
ISO 27001 Clause 6.1.1 FAQ
What is ISO 27001 Clause 6.1.1?
ISO 27001 Clause 6.1.1 is the General Planning requirement that acts as the bridge between understanding your organisation (Clause 4) and managing risk (Clause 6.1.2). It requires you to determine the risks and opportunities that need to be addressed to ensure the Information Security Management System (ISMS) can achieve its intended outcomes, prevent undesired effects, and achieve continual improvement.
What is the difference between Clause 6.1.1 and Clause 6.1.2?
The primary difference is that Clause 6.1.1 is strategic while Clause 6.1.2 is operational. Clause 6.1.1 focuses on risks to the management system itself (e.g., “lack of budget” or “regulatory changes”) and requires you to plan high-level actions. In contrast, Clause 6.1.2 is the specific Information Security Risk Assessment process where you identify threats to assets (e.g., “malware infection on a server”) and calculate risk levels.
What are “Risks to the ISMS” vs “Information Security Risks”?
Lead auditors distinguish between these two distinct risk types. Risks to the ISMS (Clause 6.1.1) are business issues that could cause the entire security program to fail, such as the resignation of the Information Security Manager or a merger acquisition disrupting processes. Information Security Risks (Clause 6.1.2) are specific scenarios involving the loss of confidentiality, integrity, or availability of data, such as a phishing attack or laptop theft.
What are examples of “Opportunities” in Clause 6.1.1?
Opportunities are positive scenarios where enhancing security also drives business value. Examples include:
- Commercial Growth: Achieving ISO 27001 certification to unlock enterprise tenders.
- Efficiency: Implementing Single Sign-On (SSO) to reduce password fatigue and helpdesk tickets.
- Resilience: Migrating to cloud infrastructure to improve availability and scalability.
Does Clause 6.1.1 require a specific document?
No, ISO 27001 Clause 6.1.1 does not strictly mandate a dedicated “Planning Document.” However, you must produce documented information as evidence. Most organisations demonstrate compliance by including a “Risks and Opportunities” tab in their Risk Register or by recording these strategic discussions in the minutes of Management Review meetings (Clause 9.3).
How often should we perform Clause 6.1.1 planning?
Planning is not a one-time event. You should perform Clause 6.1.1 planning initially during the ISMS implementation, annually as part of the management review cycle, and ad-hoc whenever there are significant changes to the organisation (e.g., new product launches, restructuring, or new legislation like the EU AI Act). Continuous alignment with Clause 4.1 (Context) is essential.
About the author
