top of page

Check out the brand new FREE ISO 27001 Information Security Toolkit!

ISO 27001 Clause 6: Planning and Its Role in Information Security Management Systems


Clause 6 of ISO 27001 focuses on defining how you will direct your efforts toward information security within your organisation. It sets the stage for effective planning in your Information Security Management System (ISMS) by helping you prioritise your activities and establish information security objectives.


Explore The Main Clauses of ISO 27001


It’s important to remember that you can’t tackle everything at once. Therefore, you must decide:


  • Where will your attention be focused?

  • Which risks pose the greatest threat?

  • What are the key objectives for the upcoming year?

  • How will you manage necessary changes within the ISMS?


Table of Contents


Introduction to Clause 6 of ISO 27001


Clause 6 of the ISO 27001 standard is a cornerstone of the Information Security Management System (ISMS). Its primary purpose is to ensure that organizations establish a robust framework for managing information security risks and opportunities.


By implementing the requirements of Clause 6, organizations can systematically identify, assess, and treat information security risks, thereby reducing the likelihood of security breaches and protecting their valuable assets.


The benefits of Clause 6 are manifold:


  • Improved Risk Management - By identifying and addressing risks, organizations can significantly reduce the likelihood of security breaches and minimize their impact. This proactive approach to risk management ensures that potential threats are mitigated before they can cause harm.


  • Enhanced Information Security - Clause 6 helps organizations establish a comprehensive framework for managing information security risks. This ensures the confidentiality, integrity, and availability of their information assets, which is crucial for maintaining trust and compliance.


  • Continual Improvement - The risk management process outlined in Clause 6 encourages organizations to continually review and improve their ISMS. This ongoing process of evaluation and enhancement helps organizations stay ahead of emerging threats and adapt to changing security landscapes.


By focusing on these key areas, Clause 6 plays a vital role in strengthening an organization’s overall information security posture.


Overview of Clause 6 Requirements


Clause 6 contains three key sections, each addressing specific aspects of risk management and planning:


  • 6.1 Actions to Address Risks & Opportunities

    • 6.1.1 General

    • 6.1.2 Information Security Risk Assessment

    • 6.1.3 Information Security Risk Treatment

  • 6.2 Information Security Objectives & Planning to Achieve Them

  • 6.3 Planning of Changes


6.1 Actions to Address Risks and Opportunities in Your ISMS


This section sets the foundation for managing both risks and opportunities within your ISMS.


It acts as a parent clause, linking to more specific guidance in sub-clauses 6.1.1 through 6.1.3.


6.1.1 General: The Framework for Risk Management


The general requirement of this clause is to establish a risk management process. It calls for an articulated framework to identify, evaluate, and address risks.


A robust risk management framework will include a Risk Methodology and procedures for maintaining an information security risk register. This log tracks risks, their assessment, and their treatment plans.



Requirement Summary

  • Consider both internal and external factors (Clause 4.1) and interested party requirements (Clause 4.2) during your planning process.

  • Identify risks and opportunities that could affect your ISMS’s performance. This includes:

    • Ensuring your ISMS achieves the intended results.

    • Preventing or reducing unwanted outcomes.

    • Supporting continual improvement.

    • Employing a systematic process to identify risks, including understanding the context, recognizing assets, threats, and vulnerabilities.

  • Plan actions to address these risks and opportunities, integrate them into your ISMS processes, and evaluate their effectiveness.


What Auditors Are Looking For

  • A documented risk management process that includes identifying, assessing, and treating risks.

  • Evidence that risks and opportunities were considered during the planning stages of the ISMS.

  • Records of the actions taken and an evaluation of their effectiveness.


Key Implementation Steps:

  1. Identify and document risks and opportunities.

  2. Develop and document risk treatment plans.

  3. Integrate risk treatment actions into ISMS processes.

  4. Implement the treatment plans.

  5. Monitor and review the effectiveness of the actions taken.


6.1.2 Information Security Risk Assessment: Defining the Risk Scoring Process


In this sub-clause, ISO 27001 requires you to establish how risks will be assessed and prioritised.


Not all risks can be handled at once, so a clear process must be in place for evaluating and ranking them according to severity and likelihood.


Requirement Summary

  • Develop and implement a risk assessment process that:

    • Establishes criteria for risk acceptance.

    • Ensures consistent and comparable risk assessments.

    • Identifies risks to the confidentiality, integrity, and availability of information.

    • Prioritises risks for treatment based on analysis.



What Auditors Are Looking For

  • A documented risk assessment methodology.

  • Records of risks identified and analysed.

  • Documentation of risk evaluation and prioritisation.


Key Implementation Steps

  1. Define your risk assessment criteria, including acceptance thresholds.

  2. Conduct assessments to identify potential risks.

  3. Analyse these risks in terms of impact and likelihood.

  4. Evaluate and prioritise risks for treatment.

  5. Document the results and process of the risk assessment.


6.1.3 Information Security Risk Treatment: Deciding How to Handle Risks


Once you’ve assessed your risks, you must develop treatment plans. These plans could involve mitigating, transferring, avoiding, or accepting each risk. The treatment option chosen should be appropriate to the risk and aligned with the organisation’s risk appetite.



ISO 27001 divides its guidance into clauses and controls. The controls are listed in Annex A, which contains 93 controls. Your organisation must address each control or justify why it’s not applicable.


A key document in this process is the Statement of Applicability (SoA). This document:

  • Lists all controls from Annex A.

  • Justifies the inclusion or exclusion of each control.

  • Indicates whether each control is implemented.


Statement of Applicability

The Statement of Applicability (SoA) is a critical document that outlines the controls implemented by an organization to manage information security risks. It serves as a comprehensive reference for the controls selected from Annex A of the ISO 27001 standard and provides justification for their inclusion or exclusion.



The SoA should include:


  • List of Controls: A detailed list of all controls implemented to address identified risks.

  • Justification for Inclusion or Exclusion: A rationale for why each control was included or excluded, based on the organization’s risk assessment and treatment plan.

  • Statement of Applicability: A declaration of the applicability of each control, ensuring that all relevant risks are adequately addressed.



The SoA should be reviewed and updated regularly to ensure it remains relevant and effective. It should also be communicated to all relevant stakeholders to maintain transparency and accountability in the organization’s information security practices.


Requirement Summary

  • Apply a risk treatment process to select appropriate controls.

  • Implement these controls to manage identified risks.

  • Document decisions on risk treatment and retain records.

  • Compare the selected controls with those in Annex A, documenting your justification for inclusion or exclusion in the SoA.


What Auditors Are Looking For

  • Documented risk treatment plans and decisions.

  • Evidence of implemented controls to mitigate risks.

  • Records showing the acceptance of residual information security risks by management.

  • A detailed and justified Statement of Applicability.


Key Implementation Steps

  1. Identify and select appropriate treatment options (avoid, transfer, mitigate, or accept) while managing risks.

  2. Compare the chosen controls with Annex A.

  3. Develop detailed risk treatment plans with specific controls.

  4. Document all decisions on risk treatment.

  5. Maintain and update the Statement of Applicability.

  6. Implement the selected controls and monitor their effectiveness.


6.2 Information Security Objectives & Planning to Achieve Them


The ISMS must clearly define its information security objectives. These objectives should be measurable and aligned with your information security policy.


Additionally, they should outline what you plan to achieve over a set period and what resources will be required to meet these goals.


Think of it as an annual project plan for your organisation’s information security efforts.



Requirement Summary

  • Establish measurable objectives aligned with the information security policy.

  • Ensure these objectives are communicated, monitored, and updated as necessary.

  • Plan how to achieve these objectives, detailing what actions will be taken, resources required, responsibilities, deadlines, and evaluation methods.


What Auditors Are Looking For

  • Documented information security objectives.

  • Evidence that these objectives are aligned with the ISMS policy.

  • Records of actions taken to meet the objectives and their effectiveness.


Key Implementation Steps

  1. Define clear objectives that align with your organisation’s security goals.

  2. Ensure objectives are measurable and achievable.

  3. Communicate the objectives to all relevant stakeholders.

  4. Develop a plan to achieve these objectives, outlining actions, resources, and deadlines.

  5. Monitor progress and update objectives as needed.


Setting information security objectives is a critical component of the ISMS. These objectives should be specific, measurable, achievable, relevant, and time-bound (SMART) to ensure they are effective and aligned with the organization’s overall business goals.


When setting information security objectives, organizations should consider the following factors:


  • Risk Appetite: Understand the level of risk the organization is willing to accept in pursuit of its objectives.

  • Risk Tolerance: Determine the degree of variability in risk that the organization can withstand.

  • Business Objectives: Align information security objectives with the broader business goals to ensure they support the organization’s mission and vision.

  • Information Security Policy: Ensure that the objectives are consistent with the organization’s information security policy and regulatory requirements.


Information security objectives should be documented and communicated to all relevant stakeholders. Regular reviews and updates are essential to ensure that the objectives remain relevant and effective in the face of evolving threats and business needs.


6.3 Planning of Changes in the Information Security Management System


Clause 6.3 focuses on how changes within your ISMS should be managed. It mandates that changes are planned and carried out in a controlled and systematic manner.


Change management is a critical component of the ISMS, ensuring that changes to policies, procedures, and controls are managed systematically and effectively. This process involves identifying, assessing, and implementing changes to maintain the integrity and effectiveness of the ISMS.



Requirement Summary

  • Determine when changes to the ISMS are needed.

  • Plan these changes in a structured way.

  • Ensure the integrity of the ISMS is maintained both during and after changes are implemented.


What Auditors Are Looking For

  • Documentation detailing planned changes and their rationale.

  • Evidence that potential consequences of changes have been considered.

  • Records showing that changes were implemented in a controlled manner.


Key Implementation Steps

  1. Identify and document the need for changes in the ISMS.

  2. Assess the potential impacts and consequences of proposed changes.

  3. Develop a change management plan with appropriate controls.

  4. Obtain approval from relevant stakeholders before implementing changes.

  5. Implement the changes in a controlled manner.

  6. Monitor the effectiveness of the changes and review the results.


When implementing changes to the ISMS, organizations should consider the following:


  • Impact Assessment: Evaluate the potential impact of changes on the ISMS to ensure they do not introduce new risks or vulnerabilities.

  • Risk Management: Assess the risks associated with the changes and develop strategies to mitigate them.

  • Training and Awareness: Ensure that all relevant stakeholders are informed and trained on the changes to maintain compliance and effectiveness.

  • Testing and Validation: Conduct thorough testing and validation of changes to ensure they function as intended and do not compromise the ISMS.


Changes to the ISMS should be documented and communicated to all relevant stakeholders. Regular reviews and updates are necessary to ensure that the changes remain effective and aligned with the organization’s information security objectives.



Comments

1/21

Never miss another article.

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page