Planning for ISO 27001 Information Security

ISO 27001 Clause 6 - Planning

Clause 6 is where the management system meets the real world of information security risk. The planning clauses set out how the organisation identifies, assesses and treats its information security risks, how it sets objectives, and how it manages changes to the ISMS itself. This is the part of the standard that produces the Statement of Applicability and the risk treatment plan.

Sub-clauses of ISO 27001 Clause 6

Clause 6.1 - Actions to Address Risks and Opportunities sets the overall framework for risk-based planning, including the consideration of the issues from Clause 4.1 and the requirements from Clause 4.2.

Clause 6.1.2 - Information Security Risk Assessment requires the organisation to define and apply a risk assessment process that identifies, analyses and evaluates information security risks against established criteria.

Clause 6.1.3 - Information Security Risk Treatment requires the organisation to define and apply a risk treatment process, compare its controls with Annex A, produce a Statement of Applicability and create a risk treatment plan.

Clause 6.2 - Information Security Objectives and Planning to Achieve Them requires the organisation to establish documented information security objectives at relevant functions and levels.

Clause 6.3 - Planning of Changes requires that changes to the ISMS are made in a planned manner.