ISO 27001 Clause 6.1.1 is about planning a system to keep information safe. This is part of the larger ISO 27001 standard. This rule makes you think about and plan for risks and opportunities that could affect your company’s data.
What is ISO 27001 Clause 6.1.1 Planning General?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Planning”.
What is the ISO 27001 Clause 6.1.1 control objective?
The formal definition and control objective in the standard is: “When planning for the information security management system, the organisation shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
a) ensure the information security management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects
c) achieve continual improvement.
The organisation shall plan:
d) actions to address these risks and opportunities; and
e) how to
1) integrate and implement these actions into its information security management system processes; and
2) evaluate the effectiveness of these actions.”
What is the purpose of ISO 27001 Clause 6.1.1?
The purpose of ISO 27001 Clause 6.1.1 is “To evidence that when you planned your information security management system that you took into account the issues in ISO 27001 Clause 4.1 Understanding the organisation and its context and the requirements that you identified in ISO 27001 Clause 4.2 Understanding the needs and expectations of interested parties.“
Is ISO 27001 Clause 6.1.1 Mandatory?
ISO 27001 Clause 6.1.1 (Planning General in the 2022 standard) is a mandatory clause in the main body of the standard.
What is the Goal?
The main goals of this clause are to:
- Make sure your security system works as it should.
- Prevent or lessen bad things that could happen.
- Help you keep getting better at security.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies.
Planning Your Security System
You need to show clearly how you planned your information security management system (ISMS).
First, you must prove that you considered two key things from the ISO 27001 standard:
- Understanding your organisation: You took into account the issues from Clause 4.1, which is about understanding your organisation and its environment.
- Understanding people’s needs: You thought about the needs and expectations you found in Clause 4.2, which relate to the people or groups interested in your security.
Finding Risks and Opportunities
Next, you will work out the risks (bad things that could happen) and opportunities (good things you can take advantage of) that relate to these points:
- Your security system can achieve the results you want.
- You can stop or lessen unwanted problems.
- You can keep making improvements over time.
Taking Action
Finally, you are going to plan, write down, and show proof of three main actions:
- The steps you will take to handle these risks and opportunities.
- How you will add and carry out these steps within your existing security system processes.
- How you will check if those steps actually worked.
Frequently Asked Questions
A risk is checked by looking at how likely it is to happen and how bad it would be if it did. You can use a chart to help with this.
You can handle a risk in a few ways:
Avoid the risk.
Let someone else deal with the risk.
Make the risk less likely to happen.
Make the effects of the risk less severe.
You should regularly check your plan. This helps you know if you are managing risks well. You can look at the results of your checks and find new risks that may have come up.
A good risk plan helps you in many ways. It improves your security, lowers the chance of data problems, and can save you money. It also helps you follow rules and do your work better.
You can learn more about risk planning and ISO 27001 by watching this video: ISO 27001 Planning General Explained.
