ISO 27001:2022 Clause 6: Planning

ISO27001-2022 Clause 6 Planning

The Definitive Governance Requirement.

Clause 6 mandates that you build the engine of your ISMS. While Clause 4 defines the terrain and Clause 5 defines the captain, Clause 6 defines the mission. It requires you to systematically identify risks and define the objectives that will drive your security strategy forward.

The Mandate

You cannot defend against threats you have not acknowledged. Clause 6 is the pivot point where “Context” transforms into “Action.” It is not a suggestion; it is the mathematical core of the standard.

It consists of three non-negotiable statutes:

  1. Clause 6.1 (Actions to address risks and opportunities): You must define a methodology, assess your risks (6.1.2), and formulate a treatment plan (6.1.3). This generates your Statement of Applicability (SoA).
  2. Clause 6.2 (Information Security Objectives): You must set measurable goals. “Being secure” is not a goal; it is a sentiment. “Reduce phishing clicks by 10%” is an objective.
  3. Clause 6.3 (Planning of Changes): When the ISMS changes, it must be planned. You cannot “wing it.”

The Verdict: If you are implementing controls from Annex A without first linking them to a specific risk in Clause 6, you are not compliant. You are just guessing.

The Implementation Strategy

This is where the amateur is separated from the professional. You must build a cohesive narrative.

  1. The Risk Methodology (The Logic): Before you assess a single asset, define your rules. What is “High Risk”? What is “Acceptable”? If your math is inconsistent, your entire system is void.
  2. The Risk Assessment (The Diagnosis): Identify the threats. Analyze the impact. Evaluate the likelihood. This generates your “Risk Register.”
  3. The Risk Treatment (The Cure): Decide to Treat, Tolerate, Terminate, or Transfer. This generates your “Risk Treatment Plan.”
  4. The Objectives (The Target): Set SMART goals (Specific, Measurable, Achievable, Relevant, Time-bound) that align with the risks you just identified.

The Auditor’s Trap

[The Auditor’s View] The most common Major Non-Conformance here is “The Static Wishlist.” I often see Security Objectives that were written three years ago and never updated, or Risk Assessments that don’t match the reality of the business. If your Objective is “Implement MFA” but you did that in 2021, you have no current objectives. You are stagnant.

Required Evidence

Clause 6 generates the most critical documents in the audit file.

  • Risk Assessment Methodology: The rulebook.
  • Risk Register: The database of threats.
  • Risk Treatment Plan (RTP): The project plan for remediation.
  • Statement of Applicability (SoA): The definitive list of controls.
  • Information Security Objectives Plan: A document tracking the status of your goals.

Strategic Acceleration

Building a Risk Methodology that satisfies ISO 27001 without paralyzing the business is a delicate balance. If you make it too complex, you will never finish it.

The Hightable™ Risk & Planning Framework provides the pre-calibrated methodologies and objective trackers. It ensures your planning phase is robust, defensible, and audit-ready.

The Next Move: Deploy the Planning Framework