Risks, Opportunities, Objectives and Plans: Tips on implementing ISO 27001 Clause 6

Clause 6.1 - Actions to Address Risks and Opportunities

Taking the time to understand and implement clause 6.1 is crucial. It involves thoughtful consideration and collaboration with your team to devise a system tailored to your business. A great starting point is studying ISO 31000, a guideline for risk management. This standard provides principles, frameworks, and processes necessary for effective risk management.

The risk management process outlined in ISO 31000 includes defining scope, content, and risk criteria; ensuring staff involvement; conducting risk assessment (identification, analysis, evaluation); determining risk treatments; and continuous monitoring and review. Having a pre-existing risk management system, such as ISO 9001, can be integrated into your ISMS for efficiency.

Utilising these fundamentals, create a risk process tailored to information security. Develop a risk criteria based on likelihood and consequences to prioritise risks. ISO 27001 Annex A provides a list of controls—93 in the 2022 version—simplifying the determination of risk treatments. By linking identified risks to controls and creating an Information Security Risk Register, you establish a foundational document summarizing multiple ISO 27001 clauses.

Clause 6.2 - Information Security Objectives and Planning to Achieve Them

Crafting information security objectives is a nuanced task. While most companies have objectives in sales, marketing, and operations, defining objectives for information security requires a different level of consideration. Common objectives like achieving zero information security incidents warrant careful evaluation due to potential pitfalls, such as under-reporting incidents.

ISO 27001 advises deriving objectives from the risk assessment and treatment in Annex A. Using the SMART framework—Smart, Measurable, Attainable, Realistic, and Timely—ensures well-defined and achievable objectives. It is essential to strike the right balance in the number of objectives; usually the best outcomes we see come when businesses have 3 to 5 objectives, focused on areas like employee involvement, ISO 27001 certification, and GDPR compliance.

Clear communication of objectives to employees is crucial. Conducting staff meetings to discuss each objective, outlining plans and timeframes, clarifying roles, identifying responsibilities, and providing printouts for reference enhances understanding. Regular monitoring and evaluation ensure you stay on track, and adjustments can be made as necessary.

Clause 6.3 – Change Management

The updated version ISO 27001 includes a new clause specifically outlining that changes affecting the ISMS should be managed. This is typically achieved by implementing a formal change management system, where changes are documented, then discussed and planned before they are implemented. 

Good change management processes should consider effort required, which parts of the business will be affected and any stakeholders in those parts. Importantly, any potential unintended consequences should also be considered. 

When changes are made, they should be documented, to assist with tracking of the changes and identifying causes of any potential issues which occur.

Takeaways for Clause 6:

1. Integrate opportunities into your improvement process.
2. Develop an easy-to-use risk criteria which can be used to list and prioritise risks.
3. Carefully consider and define objectives.
4. Monitor, evaluate results and reassess risks and opportunities for ongoing improvement.
5. Prioritise communication to ensure everyone has a clear understanding

• View the previous post in the series: Clause 5: A Focus on Leadership, Commitment, Responsibility and Information Security Policy.
• View the next post in the series: Resources, Competence, Awareness, Communication: Navigating ISO 27001: Clauses 7.1 – 7.4