ISO 27001 Clause 6.1.1 Planning General: Certification Body Guide

ISO 27001 Clause 6.1.1 Actions to Address Risks and Opportunities

ISO 27001 Clause 6.1 Actions to Address Risks and Opportunities is a planning control that requires organisations to identify and manage security risks. It ensures the management system achieves intended outcomes. This control mandates documented processes for risk assessment and treatment to prevent undesired effects.

ISO 27001:2022 Attributes

Attribute Classification
Control Type Governance, Planning, Preventative
Information Security Properties Confidentiality, Integrity, Availability
Cybersecurity Concepts Identify, Govern
Operational Capabilities Information Security Management

Implementation Difficulty & Cost

Factor Metric
Implementation Difficulty 4/5 (Requires deep business context and logic)
Financial Cost Low (Mainly internal staff time)
Process Owner Chief Information Security Officer (CISO)
Accountability Cascade Top Management and Board of Directors

ISO 27002 Control Guidance

The physical guidance for risk management focuses on site-specific threats. You must evaluate risks like unauthorised access, fire, and flood. I look for risk entries that mention your actual office locations. Management must determine if physical barriers protect sensitive hardware sufficiently. You should record these site risks in your internal SharePoint register. This ensures that physical site managers take ownership of local security threats.

The technical implementation requires a focus on your digital assets. You must identify vulnerabilities in your cloud hosting and internal systems. I often find that firms ignore legacy software in their risk assessments. You should use Jira to track technical risk treatments through to completion. This provides an unalterable log of how your team fixed security gaps. Technical risks must be specific to your actual technology stack.

The behavioural guidance involves assessing human-related security risks. You must consider the risk of social engineering and accidental data loss. I look for evidence that you have evaluated employee security awareness. Management must determine the risk posed by internal culture and staff turnover. You should document these human factors in your risk management plan. This helps you tailor training to address the most likely employee errors.

In my 20 years of auditing, I find that Clause 6.1 is where most firms fail. I often see risk registers that look identical to a generic template. I will perform Log Reviews of your risk assessment meetings. I want to see that your team debated the likelihood of specific threats. If your register is just a list in a SaaS tool, I will question your ownership. I may also perform Camera Walkthroughs to see if physical risks match your register. Authenticity is the only way to avoid a major non-conformity.

10 Steps to Implement Clause 6.1

  1. Define Your Risk Methodology

    Establish a clear set of rules for assessing risk. You must define how you calculate impact and likelihood levels. Store this methodology in your central SharePoint policy library. This ensures that every risk assessment follows a consistent process. I check this methodology first during every audit.

  2. Identify Security Risks

    Gather your department leads to brainstorm potential threats to information. Focus on confidentiality, integrity, and availability. Use your internal Confluence wiki to record these sessions. This proves that risk identification involves the whole business. Do not rely on a software tool to find your risks for you.

  3. Identify Security Opportunities

    Determine where security improvements can support business growth. Opportunities might include moving to more secure cloud services. Document these in your Jira project trackers alongside risks. This shows that you view security as a way to improve the business. I look for proactive opportunities during management reviews.

  4. Analyse Risk Levels

    Evaluate each risk using your defined methodology. You must determine the potential consequences for your business operations. Record the results in an internal spreadsheet or database. I check if these levels reflect the reality of your current environment. This step prevents you from wasting resources on insignificant issues.

  5. Evaluate Risk Treatment Options

    Decide how to handle each identified risk. Options include avoiding, mitigating, transferring, or accepting the risk. You must justify why you chose a specific treatment. Record these decisions in your risk treatment plan. I often find that firms accept high risks without a clear reason.

  6. Produce a Statement of Applicability

    Select the necessary Annex A controls based on your risk results. You must list every control and explain why it is included. Store this document in SharePoint with strict version control. This is the most important document in your ISMS. I will spend significant time reviewing your justifications.

  7. Create a Risk Treatment Plan

    Define the actions, resources, and timelines for mitigating risks. Assign a risk owner to every task within Jira. This ensures that mitigation work actually happens. I look for evidence that these tasks are part of your daily work. A plan without active tasks is just a dead document.

  8. Secure Management Approval

    Present your risk assessment and treatment plan to top management. They must formally approve the residual risk levels. I look for their signatures in your SharePoint approval logs. Management must own the final risk posture of the organisation. This prevents the security team from being blamed for business decisions.

  9. Communicate Risk Owners

    Inform individuals of their responsibility for managing specific risks. I often interview staff to see if they know which risks they own. Ensure these roles are clear in your organisational chart. This creates a culture of accountability across the business. Security is not just the job of the CISO.

  10. Review and Update Regularly

    Schedule quarterly reviews of your risk register. You must update your findings when the business environment changes. I check the version history of your registers for regular updates. A static register is a major red flag for any auditor. It shows that your risk management process is not active.

Requirements by Environment

  • Office Environment: Must address physical theft, local utility failures, and unauthorised site entry.
  • Home Working: Focus on domestic network security and the risk of device loss in transit.
  • Cloud Environment: Address provider outages and the risk of misconfigured cloud storage buckets.

The “Checkbox Compliance” Trap

Requirement SaaS Tool Trap Auditor Reality
Risk Identification Software provides a generic list of risks. I want to see risks unique to your business niche.
Risk Ownership Assigning “System” as the owner of every risk. I look for human names and accountability.
Risk Review Clicking a “Renew” button once a year. I want to see records of real management debate.

10 Steps to Audit Clause 6.1 (Internal Audit Guide)

  1. Verify Methodology: Check if the risk assessment follows the documented internal rules.
  2. Review Stakeholder Inputs: Ensure risk identification considers the needs of parties from Clause 4.2.
  3. Check Risk Ownership: Confirm that every high risk has a named human owner.
  4. Sample Treatment Plans: Pick three risks and follow their treatment tasks in Jira.
  5. Inspect the SoA: Verify that justifications for excluding controls are logical and documented.
  6. Assess Management Approval: Find signed evidence of management accepting the residual risks.
  7. Verify Risk Links: Check if the risk register links to the asset register.
  8. Evaluate Opportunity Log: Ensure the organisation is tracking security opportunities, not just threats.
  9. Check Version History: Confirm the risk register has been updated after recent business changes.
  10. Interview Risk Owners: Ask owners how they manage the specific risks assigned to them.

ISO 27001 Clause 6.1 Audit Evidence Checklist

Evidence Item Pass/Fail Criteria Owner
Risk Assessment Methodology Must be documented and approved in SharePoint. CISO
Risk Register Must contain site-specific and asset-linked risks. Risk Manager
Risk Treatment Plan Must show active tasks and owners in Jira. CISO
Statement of Applicability Must have detailed justifications for every Annex A control. CISO

Required Policy Content: A Lead Auditor’s Checklist

  • Risk Assessment Rules: You must define the scales for impact and likelihood clearly.
  • Risk Acceptance Criteria: State the levels of risk that management is willing to tolerate.
  • Owner Responsibilities: Define what is expected from a named risk owner.
  • Review Frequency Clause: Mandate a minimum of quarterly reviews for the risk register.
  • Integration Statement: Explain how risk management links to the wider business strategy.

What to Teach Employees

  • Identify Threats: Teach staff how to recognise security risks in their daily tasks.
  • The Reporting Path: Ensure everyone knows how to report a new risk to the CISO.
  • Security Opportunities: Encourage staff to suggest ways to make security processes better.

Enforcement and Consequences

Failure to manage risk effectively is a direct path to a major non-conformity. I follow a strict disciplinary route: Verbal Warning for missing owner names, Written Minor NC for stale registers, and Major NC for lack of management sign-off. If you do not own your risk, you do not have a management system.

Common Implementation Challenges

Challenge Root Cause Solution
Generic Risk Lists Relying too much on software templates. Hold workshops to identify risks specific to your operations.
Inactive Mitigation Planning but never performing the work. Track all treatment tasks in your daily Jira workflow.
Disconnected Management Executives not understanding the risk levels. Present risks in terms of business and financial impact.

Sample Statement of Applicability (SoA) Entry

“ISO 27001 Clause 6.1 is a mandatory requirement for our ISMS. We satisfy this by maintaining an active risk register in SharePoint. We use a documented methodology to assess threats and opportunities quarterly. Management reviews and approves all residual risks to ensure alignment with our business strategy.”

Changes from ISO 27001:2013

ISO 27001:2013 ISO 27001:2022
Focus on security threats. Added emphasis on opportunities for improvement.
Implied risk ownership. Stronger requirement for named risk owners and accountability.

How to Measure Effectiveness (KPIs)

  • Risk Mitigation Rate: Percentage of treatment tasks completed on time in Jira.
  • Review Frequency: Number of days since the last full management review of the register.
  • Incident Correlation: Percentage of security incidents that were previously identified as risks.

Related ISO 27001 Controls

Clause 6.1 FAQ

Can we use a spreadsheet for our risk register? Yes. A spreadsheet in SharePoint is an excellent way to maintain a version-controlled record. I prefer this over a portal I cannot access.
How many risks should we identify? There is no set number. I look for quality and relevance rather than a high quantity of generic risks.
What is a security opportunity? It is a situation where improving security also helps the business. For example, using single sign-on makes logins faster and more secure.
Does the Board have to approve every risk? They must approve the overall risk posture and any high-level risks that exceed your tolerance.
What is a residual risk? It is the level of risk that remains after you have applied your security treatments. Management must accept this level.