Clause 6 of the ISO 27001 rules is about planning, especially planning what to do about risks and opportunities. While managing risk seems simple, it can mean different things to different people. It also has a specific meaning for ISO 27001 auditors, so it’s important to meet what they expect.
Table of contents
What is ISO 27001 Clause 6.1?
ISO 27001 Clause 6.1 General
Now, it’s a good idea to look back at what you did in sections 4 and 5 – especially 4.1, 4.2, 4.3, and all of section 5 of ISO 27001. This will help you figure out the risks and opportunities you need to deal with based on the issues, interested parties, and scope you identified earlier. The goal is to:
- Make sure your information security management system can achieve what it’s supposed to.
- Prevent or lessen any bad things that could happen.
- Keep making things better over time.
Your organisation needs to have plans that cover how it will find, assess, and handle these risks and opportunities. These plans should also explain how you will include these actions in your information security management system processes. This should include how you will check if these actions are working and keep an eye on them over time.
Simply put, this means writing down how you will identify, assess, and handle risks. Then, you need to show that this process is actually working by managing each risk. Ideally, you’ll show that the risk is being accepted (for example, after you’ve used the security measures from Annex A), stopped, or maybe passed on to someone else.
ISO 27001 also goes into more detail about this risk management requirement. Plus, there are other standards focused on risk, like ISO 31000, which you can learn from, as the ideas for ISO 27001’s risk planning came from these kinds of standards.
When planning for the information security management system, the organisation shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
a) ensure the information security management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects
c) achieve continual improvement.
The organisation shall plan:
d) actions to address these risks and opportunities; and
e) how to
1) integrate and implement these actions into its information security management system processes; and
2) evaluate the effectiveness of these actions.
ISO 27001:2022 Clause 6.1.1 General
ISO 27001 Clause 6.1.2 Information Security Risk Assessment
The ISO 27001 standard says that an organisation needs to set up and keep going processes for checking information security risks. These processes must include how the organisation will accept risks and the rules for assessing them. The standard also says that all assessments should be done in a way that is consistent, correct, and gives results that can be compared.
This means clearly explaining the way you are doing things and creating a risk methodology – we have written more about how to do that here.
Organisations must use these assessment processes to find risks related to keeping information private, making sure it’s accurate, and ensuring it’s available when needed (this is often called the CIA triad) for all the information within the scope of the ISMS.
Most auditors who check for ISO certification will expect this methodology to explain more than just how likely something is and how bad the impact could be. They will also want to know what happens if, for example, there’s a conflict between one risk (like one affecting availability) and another (like one affecting confidentiality).
Risks need to be assigned to people within the organisation who will be responsible for them (risk owners). These owners will decide how serious the risk is, assess what could happen if the risk becomes real, and consider how likely the risk is to actually occur.
Once the risk has been assessed, it must be put in order of importance for how it will be handled and then managed according to the written-down methodology.
The organisation shall define and apply an information security risk assessment process that:
a) establishes and maintains information security risk criteria that include:
1) the risk acceptance criteria; and
2) criteria for performing information security risk assessments;
b) ensures that repeated information security risk assessments produce consistent, valid and comparable results;
c) identifies the information security risks:
1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
2) identify the risk owners;
d) analyses the information security risks:
1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialise;
2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and
3) determine the levels of risk;
e) evaluates the information security risks:
1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
2) prioritise the analysed risks for risk treatment.
The organisation shall retain documented information about the information security risk assessment process.
ISO 27001:2022 Clause 6.1.2 Information Security Risk Assessment
ISO 27001 Clause 6.1.3 Information Security Risk Treatment
You need to choose the right ways to handle risks based on how you assessed them. For example, you might use the security measures from Annex A, stop the activity causing the risk, pass the risk on to someone else, or deal with it in another way. The ISO 27001 standard points out that Annex A also includes the goals of these security measures, but the measures listed are ‘not all-inclusive’, and you might need more.
Smaller organisations often just use the Annex A measures, but it’s okay to come up with or find security measures from anywhere. This means if you’re following several security standards, you could use measures from other standards like NIST or SOC2, based on their Trust Services Criteria.
If an independent auditor is checking you for ISO 27001, it’s a good idea to focus on the Annex A measures because they will know them well.
If you need to meet specific standards for a customer, like DSPT for health information in the UK’s NHS, it makes sense to also link your risk handling to those standards. This will give the customer confidence that your information security is strong and meets their needs too.
The people responsible for the risks (risk owners) manage their plans for dealing with those risks (or they might ask others to do it for them). They will eventually decide if any risks that are left over are acceptable. After all, it doesn’t always make sense to stop, transfer, or keep spending money on managing every single risk.
You need to create a Statement of Applicability. This document lists the security measures your organisation has decided are necessary, why you included them, whether they are in place or not, and why you left out any measures from Annex A.
This is a fairly big task (made much simpler and automatic by ISMS.online) that shows the organisation has carefully considered all the important areas around those security measures that ISO 27001 talks about.
The organisation shall define and apply an information security risk treatment process to:
a) select appropriate information security risk treatment options, taking account of the risk assessment results;
b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;
c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted;
d) produce a Statement of Applicability that contains— the necessary controls
— justification for their inclusion
— whether the necessary controls are implemented or not; and
— the justification for excluding any of the Annex A controls.e) formulate an information security risk treatment plan; and
f) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the
residual information security risks.The organisation shall retain documented information about the information security risk treatment
ISO 27001:2022 Clause 6.13 Information Security Risk Treatment
process.
Understanding the Statement of Applicability for ISO 27001
The Statement of Applicability (SOA) lists the security measures you need, as we just talked about, and explains why you included them or left others out. It’s really useful for managing things inside your organisation and for sharing with people who need to know. This document, along with your security plan, the scope of your ISMS, and your certificate (if you have one), will help them understand where their interests and worries fit into your information security management system.
How to Achieve Clause 6.1
Usually, planning how you’ll find, assess, and handle risks to meet the rules we’ve discussed takes up quite a bit of time when you’re setting up your ISMS. Your organisation needs to create a clear way to consistently assess risks and keep good records of each risk, how you assessed it, and your plan for dealing with it.
Also, these records should show that you review things regularly over time and provide proof of the actions you’ve taken to handle the risks. This will include which of the security measures from Annex A you’ve put in place as part of your plan, and it will help you create and update your Statement of Applicability.