What is ISO 27001 Clause 6.1.1 Planning General in ISO 27001?
Clause 6.1.1 is a documented requirement for organisations to plan their Information Security Management System. It ensures the system achieves its goals by addressing risks and opportunities. This planning must be integrated into existing business-as-usual tools like SharePoint or Jira to ensure management remains accountable.
Auditor’s Eye: The Shortcut Trap
Reliance on automated SaaS compliance platforms often results in surface-level compliance. These “Black Box” systems decouple security from daily business operations. Auditors frequently find that staff do not understand the risks shown on software dashboards. We prefer seeing risk evidence within your native document repositories. Using SharePoint or internal wikis proves that your team owns the security process. Genuine compliance requires human oversight: not a software green tick.
| Feature | ISO 27001:2013 | ISO 27001:2022 |
|---|---|---|
| Focus | Prevention of undesired effects. | Emphasis on risk and opportunities. |
| Integration | Isolated risk registers. | Integrated business planning. |
How to Implement ISO 27001 Clause 6.1.1 Planning General (Step-by-Step)
Establish a documented planning process within your existing corporate document management system. You must determine the risks and opportunities that require attention to prevent undesired effects. This step ensures your security efforts align with your actual business needs and strategic direction.
- Review Clause 4.1 and 4.2 findings within your SharePoint registers.
- Identify security opportunities using your standard Jira or Confluence project trackers.
- Document the criteria for risk acceptance in your internal policy wiki.
- Assign risk owners within your organisational hierarchy: not within a third-party app.
ISO 27001 Clause 6.1.1 Planning General Audit Evidence Checklist
- Documented risk assessment methodology stored in your company’s central repository.
- Version-controlled records of risk planning meetings.
- Evidence of security objectives being tracked within internal project management tools.
- Approval logs showing management sign-off on identified risks and opportunities.
Relational Mapping
Clause 6.1.1 connects directly to Clause 4.4 (ISMS establishment) and Clause 9.3 (Management review). Planning informs the selection of controls in Annex A.
Auditor Interview
Auditor: How do you identify risks to your ISMS?
You: We use our internal SharePoint environment to log and track risks regularly.
Auditor: How does this integrate with your wider business planning?
You: Security risks are reviewed during our standard monthly management meetings.
Common Non-Conformities
| Failure Mode | Description |
|---|---|
| Automated Complacency | Relying on a platform’s green tick without having internal procedural evidence. |
| Disconnected Planning | Security risks are not linked to the business objectives defined in Clause 4. |
Frequently Asked Questions
What is the primary requirement of Clause 6.1.1?
The primary requirement is planning. Organisations must determine risks and opportunities to ensure the ISMS achieves intended outcomes. This requires documented evidence of planning within native business tools like SharePoint or internal wikis.
How do you document opportunities in ISO 27001?
Document opportunities by identifying positive factors that improve security. Record these in your standard project management tools. Linking these to business-as-usual workflows ensures management remains accountable for security improvements.
Can I use automated software for Clause 6.1.1?
Automated software often obscures true management intent. Auditors prefer seeing risk planning integrated into your existing document management system. Native tools prove that security is part of daily operations.