Actions to Address Risks & Opportunities for ISO 27001 Requirement 6.1
What does ISO 27001 Section 6.1 cover?
Section 6 of the ISO 27001 requirements covers Planning and, just like any important business decision, the devil is in the detail. Mapping out plans for how you will handle risk under ISO 27001 is essential for a successful information security management system. The requirements in 6.1 specifically cover the planning of actions to address risks and opportunities.
Section 6.1.1 – General
At this point, you should be looking back to your earlier work in sections 4 and 5 – in particular, 4.1, 4.2, 4.3 and section 5 of ISO 27001. This will help you determine the risks and opportunities that need to be addressed in order to:
- ensure the information security management system can achieve the intended outcomes
- ‘prevent, or reduce the undesired effects’
- ‘achieve continual improvement’.
The organisation must have plans in place that cover the actions it will take to identify, assess and treat these risks and opportunities and how it will integrate and implement those actions into its information security management system processes. This should include how they will evaluate the effectiveness of these actions.
Section 6.1.2 – Information security risk assessment
The ISO 27001 standard requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria. It also stipulates that any assessments should be consistent, valid and produce ‘comparable results.’
Organisations must apply the assessment processes to identify risks associated with the confidentiality, integrity, and availability (CIA) of the information assets that fall within the defined scope of the ISMS.
Risks should be assigned to risk owners within the organisation who will determine the level of risk, assess the potential consequences should the risk materialise, together with ‘realistic likelihood of the occurrence of the risk’.
To evaluate the risk, one must compare the results of the risk analysis with the risk criteria alread established as part of 6.1.2.
Finally, the risk must be prioritised for risk treatment and all documentated information security risk assessment process retained.
Section 6.1.3 – Information security risk treatment
The standard requires that you ‘define and apply an information security risk treatment process’.
You are expected to select appropriate risk treatment options based on the risk assessment results. You will also determine the controls necessary for the implementation of those treatments.
Typically the Annex A controls are used although it is acceptable to design or identify the controls from any source. In that way, managing multiple security standards could mean you apply controls, for example, from other standards such as NIST or Soc2.
Compare those controls with Annex A to ensure you haven’t missed any controls that might be necessary. The standard notes that Annex A also includes the control objectives but that the controls listed are ‘not exhaustive’ and additional controls may be needed.
The assigned risk owners must aaprove the treatment plan and accept any residual information security risks.
It is necessary to produce a Statement of Applicability that contains the controls the organisation has deemed necessary together with the justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;
Understanding the Statement of Applicability
The Statement of Applicability contains the necessary controls as mentioned above and the justification for their inclusion or exclusion. But the purpose of the Statement is to create a document that you can give to your interested parties, to give them a better understanding of your information security management system.
How to manage the requirements of Section 6.1
Typically, planning how you will identify, evaluate and treat risks, to meet the requirements above, is one of the more time-consuming elements of implementing your ISMS. It requires an organisation to define a methodology for the consistent evaluation of risk and maintain clear records of each risk, it’s assessment and treatment plan. Furthermore, the records should demonstrate regular reviews over time, and evidence of the treatment that has taken place. This will include which of the Annex A controls you have put in place as part of that treatment and will feed into the creation (and maintenance) of the Statement of Applicability.
It is little wonder that old-fashioned spreadsheet approaches can be complex and difficult to maintain.
It is one of the reasons why organisations now look to software solutions to manage this process. In ISMS.online we include a risk management policy, methodology, and a pre-configured information security risk management tool. More than that, we include a bank of common risks that can be drawn down, together with the suggested Annex A controls, saving you weeks of work. Joining this up in one integrated solution to help you achieve, maintain and improve your entire ISMS makes perfect sense. Afterall, why waste time trying to build it yourself when there is already a purpose-built solution?
For more information on risk, read our latest article
Discover how you can save time & reduce management resource using ISMS.online to achieve & maintain your ISO 27001 ISMS
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication (read 7.1 – 7.4 here)
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- (read 9.1 – 9.3 here)
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement (read 10.1 – 10.2 here)
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001