Actions to Address Risks and Opportunities for ISO 27001 Information Security

ISO 27001 Clause 6.1

This sub-clause requires the organisation to determine the risks and opportunities the ISMS needs to address and to plan actions to address them.

ISO 27001 Clause 6.1 - Actions to Address Risks and Opportunities

Clause 6.1 introduces the risk-based thinking that runs through the whole standard. It splits into three sub-clauses: 6.1.1 General, which sets the overall framework, and 6.1.2 and 6.1.3 which deal specifically with information security risks. This article covers 6.1.1. The detailed risk assessment and risk treatment requirements are covered in their own articles.

What ISO 27001 Clause 6.1.1 Requires

When planning for the information security management system, the organisation must consider the issues from Clause 4.1 and the requirements from Clause 4.2, and determine the risks and opportunities that need to be addressed to make sure the ISMS can achieve its intended outcomes, prevent or reduce undesired effects, and achieve continual improvement.

The organisation must then plan the actions to address those risks and opportunities, plan how to integrate and implement those actions into the ISMS processes, and plan how to evaluate the effectiveness of those actions. The standard does not prescribe a specific method for any of this. It does require the process to be in place and to be linking the inputs from Clause 4 through to the outputs in Clause 6.1.2 and Clause 6.1.3.

Two Types of Risk in ISO 27001

The standard recognises two distinct types of risk. Strategic risks and opportunities at the management system level - things that affect whether the ISMS as a whole achieves its intended outcomes. These are usually captured in the same opportunities and risks register used for other ISO standards, with information security factors flagged where they apply.

Information security risks - the specific risks to confidentiality, integrity and availability of information assets - are covered separately under Clause 6.1.2 and Clause 6.1.3. They live in a dedicated information security risks register, scored differently and treated through the controls in Annex A.

Both types of risk are considered together for planning purposes but the assessment processes are kept separate so the strategic view is not crowded out by the operational detail of information security risk.

The most common gap I see at this clause is the strategic risks register being treated as separate from the information security risks register. They are different documents but they need to talk to each other. A strategic risk like dependence on a single cloud provider should be visible in both registers, scored from the strategic angle in one and from the information security angle in the other.

Do not let this clause turn into a paperwork exercise. The point of risk-based thinking is to make better decisions. If the risk register is something you write once and never look at, it is not doing its job. The good registers I have seen are short, real and reviewed at every management meeting.

Practical Compliance Guidance

The strategic risk register and the information security risk register run in parallel. Both feed into the management review and are updated when the operating environment, the threat landscape or the organisation itself changes significantly.

The documents below support the strategic and information security risk planning required by Clause 6.1.

alphaZ document	How to use it
ISO 27001 Toolkit	Complete documentation set for ISO 27001:2022 including both strategic and information security risk registers.
F-IMS23 Opportunities and Risks Register	Strategic risks and opportunities register at the management system level, including SWOT analysis and tracking of treatment actions.
ER15 Information Security Risks Register	Dedicated register for information security risks scored against confidentiality, integrity and availability, used to drive the Statement of Applicability.
ER1 Issues and Actions Register	Tracks the actions arising from the risks and opportunities identified, with owners, due dates and effectiveness reviews.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do strategic risks and information security risks need separate registers?

The standard does not require two separate registers, but in practice they are kept separate because they are scored differently and serve different purposes. The strategic register captures management system level risks. The information security register scores risks against confidentiality, integrity and availability of specific assets.

Does Clause 6.1 require a documented risk methodology?

Clause 6.1.1 itself does not specify documentation requirements, but Clause 6.1.2 does require the risk assessment process to retain documented information. In practice the risk methodology is documented in the management system manual or as a separate procedure.

How are opportunities handled differently to risks?

Opportunities are positive factors that could improve the ISMS or the wider business. They are typically tracked in the same register as strategic risks but with positive scoring. Information security opportunities might include adopting a stronger authentication method or moving to a more secure platform.

UK Legislation

The legislation relevant to information security risk planning is covered in detail under Clause 4.2 and the legal register. The most directly applicable items are below.

Further Resources