Actions to Address Risks & Opportunities for ISO 27001 Requirement 6.1

What does ISO 27001 Clause 6.1 cover?

Section 6 of the ISO 27001 requirements covers Planning and, just like any important business decision, the devil is in the detail. Mapping out plans for how you will handle risk under ISO 27001 is essential for a successful information security management system. The requirements in 6.1 specifically cover the planning of actions to address risks and opportunities.

Clause 6.1.1 – General

At this point, you should be looking back to your earlier work in sections 4 and 5 – in particular, 4.1, 4.2, 4.3 and section 5 of ISO 27001. This will help you determine the risks and opportunities that need to be addressed in order to:

  • ensure the information security management system can achieve the intended outcomes
  • ‘prevent, or reduce the undesired effects’
  • ‘achieve continual improvement’.


The organisation must have plans in place that cover the actions it will take to identify, assess and treat these risks and opportunities and how it will integrate and implement those actions into its information security management system processes. This should include how they will evaluate the effectiveness of these actions. 

Clause 6.1.2 – Information security risk assessment

The ISO 27001 standard requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria. It also stipulates that any assessments should be consistent, valid and produce ‘comparable results.’

Organisations must apply the assessment processes to identify risks associated with the confidentiality, integrity, and availability (CIA) of the information assets that fall within the defined scope of the ISMS.

Risks should be assigned to risk owners within the organisation who will determine the level of risk, assess the potential consequences should the risk materialise, together with ‘realistic likelihood of the occurrence of the risk’.

To evaluate the risk, one must compare the results of the risk analysis with the risk criteria alread established as part of 6.1.2.

Finally, the risk must be prioritised for risk treatment and all documentated information security risk assessment process retained.

Clause 6.1.3 – Information security risk treatment

The standard requires that you ‘define and apply an information security risk treatment process’.

You are expected to select appropriate risk treatment options based on the risk assessment results. You will also determine the controls necessary for the implementation of those treatments.

Typically the Annex A controls are used although it is acceptable to design or identify the controls from any source.  In that way, managing multiple security standards could mean you apply controls, for example, from other standards such as NIST or Soc2.

Compare those controls with Annex A  to ensure you haven’t missed any controls that might be necessary. The standard notes that Annex A also includes the control objectives but that the controls listed are ‘not exhaustive’ and additional controls may be needed.

The assigned risk owners must aaprove the treatment plan and accept any residual information security risks.

It is necessary to produce a Statement of Applicability that contains the controls the organisation has deemed necessary together with the justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;

Understanding the Statement of Applicability

The Statement of Applicability contains the necessary controls as mentioned above and the justification for their inclusion or exclusion. But the purpose of the Statement is to create a document that you can give to your interested parties, to give them a better understanding of your information security management system.

How to manage the requirements of Clause 6.1

Typically, planning how you will identify, evaluate and treat risks, to meet the requirements above, is one of the more time-consuming elements of implementing your ISMS. It requires an organisation to define a methodology for the consistent evaluation of risk and maintain clear records of each risk, it’s assessment and treatment plan. Furthermore, the records should demonstrate regular reviews over time, and evidence of the treatment that has taken place. This will include which of the Annex A controls you have put in place as part of that treatment and will feed into the creation (and maintenance) of the Statement of Applicability.

It is little wonder that old-fashioned spreadsheet approaches can be complex and difficult to maintain.

It is one of the reasons why organisations now look to software solutions to manage this process. In we include a risk management policy, methodology, and a pre-configured information security risk management tool. More than that, we include a bank of common risks that can be drawn down, together with the suggested Annex A controls, saving you weeks of work. Joining this up in one integrated solution to help you achieve, maintain and improve your entire ISMS makes perfect sense. Afterall, why waste time trying to build it yourself when there is already a purpose-built solution?


For more information on risk, read our latest article

Information Security Risk Management Explained

Ready to take action?

Discover how can help you achieve or improve on your ISMS objectives


Need ISO 27001 policies and controls for your ISMS? includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you up to 77% head start with ISO 27001 documentation. 



Ready to take action?

Discover how can help you achieve or improve on your ISMS objectives

ISMS Online Rating: 5 out of 5
Share This