What does Clause 6 require?
Clause 6 is the core planning clause for your Privacy Information Management System (PIMS). It defines how you identify risks and opportunities, assess and treat privacy risks, set measurable objectives and manage changes. This clause connects the contextual understanding from Clause 4 to the operational activities in Clause 8.
6.1 Actions to address risks and opportunities
6.1.1 General
When planning for the PIMS, the organisation shall consider the issues from Clause 4.1 and the requirements from Clause 4.2, and determine the risks and opportunities that need to be addressed to:
- Ensure the PIMS can achieve its intended outcomes
- Prevent, or reduce, undesired effects
- Achieve continual improvement
The organisation must plan actions to address these risks and opportunities, how to integrate and implement the actions into PIMS processes, and how to evaluate the effectiveness of these actions.
6.1.2 Privacy risk assessment
The organisation shall define and apply a privacy risk assessment process that:
- Establishes risk criteria — Including risk acceptance criteria and criteria for performing privacy risk assessments
- Ensures consistency — Repeated assessments produce consistent, valid and comparable results
- Identifies risks — Apply the process to identify risks associated with the protection of privacy and information security within the scope of the PIMS, and identify the risk owners
- Analyses risks — Assess the potential consequences and realistic likelihood of the identified risks, and determine the levels of risk
- Evaluates risks — Compare results against the established criteria and prioritise risks for treatment
The risk assessment process must be documented and its results retained as documented information.
6.1.3 Privacy risk treatment
The organisation shall define and apply a privacy risk treatment process to:
- Select appropriate risk treatment options, taking account of the risk assessment results
- Determine all controls necessary to implement the chosen risk treatment options
- Identify and document the information security programme implemented by the organisation, including appropriate security controls addressing (at minimum): information security risk management, policies, organisation of information security, human resources security, asset management, access control, operations security, network security management, development security, supplier management, incident management, business continuity, information security reviews, cryptography, and physical and environmental security
- Compare the determined controls from the risk treatment and information security programme with those in Annex A to verify that no necessary controls have been omitted
- Produce a Statement of Applicability (SoA) that contains the necessary controls, justification for their inclusion, whether they are implemented, and justification for excluding any Annex A controls
- Formulate a privacy risk treatment plan
- Obtain risk owners’ approval of the risk treatment plan and acceptance of residual privacy risks
- Consider the guidance in Annex B for the implementation of controls determined during risk treatment and in the information security programme
This sub-clause is where the management system requirements connect to the Annex A controls. Your SoA becomes the central document linking risk assessment results to the specific controls you implement.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
6.2 Privacy objectives and planning to achieve them
The organisation shall establish privacy objectives at relevant functions and levels. Privacy objectives shall:
- Be consistent with the privacy policy
- Be measurable (if practicable)
- Take into account applicable requirements
- Be monitored
- Be communicated
- Be updated as appropriate
- Be available as documented information
When planning how to achieve objectives, the organisation must determine what will be done, what resources are required, who will be responsible, when it will be completed and how results will be evaluated.
6.3 Planning of changes
When the organisation determines the need for changes to the PIMS, the changes shall be carried out in a planned manner. This is a new explicit requirement in the 2025 edition, emphasising that ad hoc changes to the management system should be avoided. Changes should be assessed for their impact on PIMS effectiveness and managed through a structured process.
How does this relate to GDPR?
Clause 6 supports several GDPR requirements:
- Article 35 — Data Protection Impact Assessments (DPIAs) align with the privacy risk assessment process in 6.1.2
- Article 32 — Security of processing, requiring appropriate technical and organisational measures based on risk assessment
- Article 24 — Responsibility of the controller to implement appropriate measures considering risks of varying likelihood and severity
- Article 25 — Data protection by design and by default, supported by upfront risk planning
What changed from ISO 27701:2019?
- Privacy risk terminology — The 2025 edition explicitly uses “privacy risk assessment” and “privacy risk treatment” rather than relying on the information security risk processes from ISO 27001
- Standalone SoA — The Statement of Applicability now references ISO 27701 Annex A controls directly, rather than supplementing an ISO 27001 SoA
- Clause 6.3 added — Planning of changes is a new explicit requirement not present in the 2019 edition
- Annex A control comparison — The risk treatment process now explicitly requires comparison of determined controls against Annex A to verify no necessary controls have been omitted
See the Annex F correspondence table for the full mapping and our what’s new guide for a broader overview of changes.
What evidence do auditors expect?
- Risk assessment methodology — A documented process for identifying, analysing and evaluating privacy risks
- Risk assessment results — Records of completed assessments with identified risks, likelihood, impact and risk levels
- Risk treatment plan — A plan showing how each unacceptable risk will be treated, with assigned owners and timescales
- Statement of Applicability — A complete SoA covering all Annex A controls with inclusion/exclusion justifications
- Privacy objectives — Documented, measurable objectives with plans for achieving them
- Risk owner approvals — Evidence that risk owners have approved the treatment plan and accepted residual risks
- Change records — Evidence that changes to the PIMS are planned and managed systematically
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Related clauses
| Clause | Relationship |
|---|---|
| Clause 4: Context | Context analysis and interested party requirements feed into risk identification |
| Clause 5: Leadership | The privacy policy provides the framework for setting objectives (6.2) |
| Clause 8: Operation | Operational risk assessment (8.2) and treatment (8.3) implement the plans defined here |
| Clause 9: Performance Evaluation | Monitoring and review activities evaluate the effectiveness of risk treatment |
| Annex A Controls | The SoA in 6.1.3 determines which Annex A controls apply |
Why choose ISMS.online for Clause 6 compliance?
ISMS.online provides integrated tools for privacy risk planning:
- Privacy risk register — Identify, assess and prioritise privacy risks with configurable criteria, likelihood and impact scales
- Risk treatment workflows — Assign treatment actions to owners with deadlines, track progress and record approvals
- Statement of Applicability builder — Generate and maintain your SoA with all Annex A controls, inclusion/exclusion justifications and implementation status
- Objectives tracker — Set, monitor and report on privacy objectives with progress dashboards
- Change management — Plan and track changes to the PIMS with impact assessment and approval workflows
FAQs
What is the difference between a DPIA and the Clause 6 risk assessment?
A Data Protection Impact Assessment (DPIA) under GDPR Article 35 is triggered by specific high-risk processing activities and focuses on the impact to individuals. The Clause 6.1.2 privacy risk assessment is a broader, systematic process covering all privacy risks within the PIMS scope. DPIAs can feed into your Clause 6 risk assessment, and many organisations integrate the two processes. However, the Clause 6 assessment is mandatory for all processing activities, not just high-risk ones.
Can Annex A controls be excluded from the Statement of Applicability?
Yes. The SoA must cover all Annex A controls, but you can exclude controls that are not applicable to your organisation. Each exclusion must be justified. For example, if you only act as a PII controller, you can exclude the Table A.2 processor controls with that justification. However, you cannot exclude a control simply because it is difficult or expensive to implement.
How often should the privacy risk assessment be reviewed?
Clause 6 requires the risk assessment process to be defined, while Clause 8.2 requires it to be performed at planned intervals or when significant changes occur. Most organisations conduct a full review annually, with additional assessments triggered by changes such as new processing activities, regulatory updates, security incidents or organisational restructuring.
