ISO 27001 Risk Planning General

Home / ISO 27001 / ISO 27001 Risk Planning General

hello! I’m the ISO 27001 Ninja and we continue our journey through ISO 27001 Clause by Clause ensuring that you’re going to get maximum levels of success when it comes to your certification.

ISO 27001 Risk Planning in general is covered in ISO 27001 Clause 6.1.1 Planning General. Here we take a look at how to implement it.

Watch

Definition

We always start with the definition, so we know what we are tackling.

The standard defines ISO 27001 Risk Planning General as – “when planning for the information security management system the organisation shall consider the issues referred to in 4.1 and the requirements referred to in 4.2, I’ll talk about them in a minute, and determine the risks and opportunities that need to be addressed they will ensure the information security management system can achieve its intended outcomes, prevent or reduce undesired effects, achieve continual Improvement. The organisation shall plan actions to address these risks and how to integrate and implement the actions into its information security management system processes and evaluate the effectiveness of these actions.”

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

Implementation Guide

Now, we’re looking at risk management here, we’re looking at planning. If we go for the nuance of this particular Clause we can see actually this is looking at risk associated with the information security management system so at this point it isn’t necessarily calling out to the risk  associated with our information security posture or associated with the statement of applicability but the approaches are going to be the same. To satisfy this  particular Clause it says take into account ISO 27001 Clause 4.1 and ISO 27001 Clause 4.2, that is needs  and expectations of interested parties and internal and external issues and  there are videos on both of those clauses as well as blogs that you can reference back to.

What it’s saying is, and we covered that in those particular videos, is let’s look at what our internal issues are, let’s look at what our external issues are, if they represent a risk let’s put them on our risk register and let’s manage them through risk management.

In addition to that if our interested parties represent some level of risk to our management system equally let’s put them on the risk register and let’s manage them through the risk management process as well. So quite specific to the ISMS at this stage.

To implement this control, actually, you’re just going to implement your overall risk management process, I mean ISO 27001 is a risk based standard, it is based on the identification and the mitigation of risk and we’ve touched on this a number of times. It’s not a rule-based system, it doesn’t tell you exactly what you need to do, it says go away assess what risks you’ve got, have a look at these controls see whether or not these controls mitigate that risk or not. If they do, here is some guidance to the level that you can go and implement them that will hopefully mitigate and address the risk that you’ve got.

If I was going to implement this what do I need? I need a couple of things and again these couple of things are going to cover a number of ISO 27001 Clauses and a number of controls. When we get to Annex A we’re going to need a Continual Improvement Policy, so our policy that sets out the statements of what we do, not how we do it. We need a Continual Improvement Policy. We need a Risk Management Policy. So, we’re going to write and define our Risk Management Policy. We need a Risk Management Process, in addition to that we’re going to define our risk management process.

Now it doesn’t come as a surprise with the ISO 27001 template store on hightable.io, all of those templates are available to you individually and there are a series of videos on my ISO 27001 YouTube Channel that show you how to create them and how to build them from scratch if you don’t want to spend a couple of pounds, less than a mocha chino, with me, that’s absolutely fine, I give you the videos and I give you the guides on how to create them but you’re going to need those particular artefacts.

How to Comply

When it comes to complying how am I going to comply? To comply with this particular version of the standard I’m going to complete ISO 27001 Clause 4.1 and ISO 27001 Clause 4.2. So internal and external issues needs and  expectations of interested parties. I’m going to complete the documentation, decide whether or not they represent a risk or not, add them to my risk register if they do.

I’m going to build my information security management system, there are other blogs on that, ISO 27001 Clause 4.4 Information Security Management System, there’s a Blog and a video that talks you through how to  build your information security management system. I’m going to build  that.

I’m going to implement my Risk Management Policy, I’m going to implement my Risk Management Process, I’m going to implement my Risk Register and  I’m going to populate my Risk Register with the risks that are associated with  those particular clauses and as part of that I’m going to put my risk planning in place.

Risk Mitigation

What are the things that I am going to do to mitigate the risk that I have identified? Remembering that risk acceptance is a very valid step in the  risk management process as long as you’ve identified the risk you do have  the ability, the capability to accept that risk as well, as long as you know about it, acceptance is management as well and as part of that we’re going to  put in our regular monitoring and review. Our annual risk review, we’re going to  put in our monthly management review team meeting where we’re going to go  ahead and we’re going to review those particular risks.

ISO 27001 Templates

These templates are reference in the article and available to download.

Conclusion

So in terms of this particular Clause I’m going to keep it quite short because what we are going to do in other videos, other blogs, other guides is actually dig a lot deeper into the risk management process, the risk register, the risk policy and show you a little bit more detail around how you would do that. So rather than do that in each of these individual videos be sure to go to my ISO 27001 YouTube Channel, subscribe to the channel and you’re going to be able to find those videos and I’m going to be able to talk you through it but that is it for today. ISO 27001 Clause 6.1.1 Planning General. I am Stuart Barker. I am the ISO  27001 Ninja and until the next blog and the next guide, peas out

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing