Table of contents
hello! I’m the ISO 27001 Ninja and we continue our journey through ISO 27001 Clause by Clause ensuring that you’re going to get maximum levels of success when it comes to your certification.
ISO 27001 Risk Planning in general is covered in ISO 27001 Clause 6.1.1 Planning General. Here we take a look at how to implement it.
Watch
Definition
We always start with the definition, so we know what we are tackling.
The standard defines ISO 27001 Risk Planning General as – “when planning for the information security management system the organisation shall consider the issues referred to in 4.1 and the requirements referred to in 4.2, I’ll talk about them in a minute, and determine the risks and opportunities that need to be addressed they will ensure the information security management system can achieve its intended outcomes, prevent or reduce undesired effects, achieve continual Improvement. The organisation shall plan actions to address these risks and how to integrate and implement the actions into its information security management system processes and evaluate the effectiveness of these actions.”
DO IT YOURSELF
ISO 27001
Implementation Guide
Now, we’re looking at risk management here, we’re looking at planning. If we go for the nuance of this particular Clause we can see actually this is looking at risk associated with the information security management system so at this point it isn’t necessarily calling out to the risk associated with our information security posture or associated with the statement of applicability but the approaches are going to be the same. To satisfy this particular Clause it says take into account ISO 27001 Clause 4.1 and ISO 27001 Clause 4.2, that is needs and expectations of interested parties and internal and external issues and there are videos on both of those clauses as well as blogs that you can reference back to.
What it’s saying is, and we covered that in those particular videos, is let’s look at what our internal issues are, let’s look at what our external issues are, if they represent a risk let’s put them on our risk register and let’s manage them through risk management.
In addition to that if our interested parties represent some level of risk to our management system equally let’s put them on the risk register and let’s manage them through the risk management process as well. So quite specific to the ISMS at this stage.
To implement this control, actually, you’re just going to implement your overall risk management process, I mean ISO 27001 is a risk based standard, it is based on the identification and the mitigation of risk and we’ve touched on this a number of times. It’s not a rule-based system, it doesn’t tell you exactly what you need to do, it says go away assess what risks you’ve got, have a look at these controls see whether or not these controls mitigate that risk or not. If they do, here is some guidance to the level that you can go and implement them that will hopefully mitigate and address the risk that you’ve got.
If I was going to implement this what do I need? I need a couple of things and again these couple of things are going to cover a number of ISO 27001 Clauses and a number of controls. When we get to Annex A we’re going to need a Continual Improvement Policy, so our policy that sets out the statements of what we do, not how we do it. We need a Continual Improvement Policy. We need a Risk Management Policy. So, we’re going to write and define our Risk Management Policy. We need a Risk Management Process, in addition to that we’re going to define our risk management process.
Now it doesn’t come as a surprise with the ISO 27001 template store on hightable.io, all of those templates are available to you individually and there are a series of videos on my ISO 27001 YouTube Channel that show you how to create them and how to build them from scratch if you don’t want to spend a couple of pounds, less than a mocha chino, with me, that’s absolutely fine, I give you the videos and I give you the guides on how to create them but you’re going to need those particular artefacts.
How to Comply
When it comes to complying how am I going to comply? To comply with this particular version of the standard I’m going to complete ISO 27001 Clause 4.1 and ISO 27001 Clause 4.2. So internal and external issues needs and expectations of interested parties. I’m going to complete the documentation, decide whether or not they represent a risk or not, add them to my risk register if they do.
I’m going to build my information security management system, there are other blogs on that, ISO 27001 Clause 4.4 Information Security Management System, there’s a Blog and a video that talks you through how to build your information security management system. I’m going to build that.
I’m going to implement my Risk Management Policy, I’m going to implement my Risk Management Process, I’m going to implement my Risk Register and I’m going to populate my Risk Register with the risks that are associated with those particular clauses and as part of that I’m going to put my risk planning in place.
Risk Mitigation
What are the things that I am going to do to mitigate the risk that I have identified? Remembering that risk acceptance is a very valid step in the risk management process as long as you’ve identified the risk you do have the ability, the capability to accept that risk as well, as long as you know about it, acceptance is management as well and as part of that we’re going to put in our regular monitoring and review. Our annual risk review, we’re going to put in our monthly management review team meeting where we’re going to go ahead and we’re going to review those particular risks.
ISO 27001 Templates
These templates are reference in the article and available to download.
Conclusion
So in terms of this particular Clause I’m going to keep it quite short because what we are going to do in other videos, other blogs, other guides is actually dig a lot deeper into the risk management process, the risk register, the risk policy and show you a little bit more detail around how you would do that. So rather than do that in each of these individual videos be sure to go to my ISO 27001 YouTube Channel, subscribe to the channel and you’re going to be able to find those videos and I’m going to be able to talk you through it but that is it for today. ISO 27001 Clause 6.1.1 Planning General. I am Stuart Barker. I am the ISO 27001 Ninja and until the next blog and the next guide, peas out