What does ISO 27001 Clause 6.1 cover?
Clause 6 of the ISO 27001 requirements is about planning, and specifically the planning of actions to address risks and opportunities. Risk management is pretty straight forward however it means different things to different people, and it means something specific to ISO 27001 auditors so it is important to meet their requirements.
Documenting with clarity in the description, then demonstrating how you handle risk under ISO 27001 is essential for an independent certification for ISO 27001 and the running of a successful information security management system (ISMS).
Clause 6.1.1 - General aspects in planning around risk for ISO 27001
At this point, you should be looking back to your earlier work in sections 4 and 5 - in particular, 4.1, 4.2, 4.3 and section 5 of ISO 27001. This will help you determine the risks and opportunities that need to be addressed from your earlier issues, interested parties and scope in order to:
- ensure the information security management system can achieve the intended outcomes
- 'prevent, or reduce the undesired effects'
- 'achieve continual improvement'.
The organisation must have plans in place that cover the actions it will take to identify, assess and treat these risks and opportunities and how it will integrate and implement those actions into its information security management system processes. This should include how they will evaluate the effectiveness of these actions and monitor them over time.
Quite simply this means documenting the process for risk identification, assessment and treatment, then showing that is working in practice with management of each risk, ideally to show it is being tolerated (e.g. after Annex A controls have been applied), terminated or perhaps transferred to other parties.
ISO 27001 breaks this requirement towards risk management down into more depth as well. In addition there are other risk oriented standards like ISO 31000 to learn from, where the principles for ISO 27001 risk planning have stemmed from.
Clause 6.1.2 - Information security risk assessment for ISO 27001
The ISO 27001 standard requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria. It also stipulates that any assessments should be consistent, valid and produce 'comparable results.'
That means clearly describing the approach being taken and means producing a risk methodology - we've written more about developing that here.
Organisations must apply the assessment processes to identify risks associated with the confidentiality, integrity, and availability (CIA) of the information assets within the defined scope of the ISMS.
Some (most) detail conscious ISO certified auditors will expect that methodology to go beyond simple likelihood and impact descriptions, to also explain what happens (say) when a conflict occurs between one risk (e.g. availability based) and another (e.g. confidentiality based).
Risks need to be assigned to risk owners within the organisation who will determine the level of risk, assess the potential consequences should the risk materialise, together with 'realistic likelihood of the occurrence of the risk'.
Once evaluated the risk must be prioritised for risk treatment and then managed in accordance with the documented methodology.
Clause 6.1.3 - Information security risk treatment for ISO 27001
You are expected to select appropriate risk treatment options based on the risk assessment results e.g. treat with Annex A controls, terminate, transfer or perhaps treat in another way. The ISO 27001 standard notes that Annex A also includes the control objectives but that the controls listed are 'not exhaustive' and additional controls may be needed.
Typically the Annex A controls are used alone in smaller organisations although it is acceptable to design or identify the controls from any source. In that way, managing multiple security standards could mean you apply controls, for example, from other standards such as NIST or SOC2 following the Trust Services Criteria principles.
If being audited by an independent auditor for ISO 27001, it makes a lot of sense to focus on the Annex A controls as they will know those well.
If needing to meet specific standards for a customer e.g. DSPT for Health in the UK NHS, it makes sense to also map the risk treatment to those as well and give the customer confidence that your information assurance is robust and meets their interests too.
Assigned risk owners manage their risk treatment plans (or delegate to people to do it for them) and will ultimately make the decision to accept any residual information security risks - after all it does not make sense to always terminate transfer or continue to invest in management of a risk.
It is necessary to produce a Statement of Applicability that contains the controls the organisation has deemed necessary together with the justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.
This is a pretty significant job (massively simplified and automated by ISMS.online) that demonstrates that the organisation has looked carefully at all the areas around those controls that ISO 27001 deems to be important.
Understanding the Statement of Applicability for ISO 27001
The Statement of Applicability (SOA) contains the necessary controls as mentioned above and the justification for their inclusion or exclusion. It is great for internal management and for sharing with relevant interested parties. This along with the security policy, scope and certificate (if achieved) will give them a better understanding of where their interests and concerns might be in your information security management system.
How to achieve Clause 6.1 for actions to address risks and opportunities in ISO 27001
Typically, planning how you will identify, evaluate and treat risks, to meet the requirements above, is one of the more time-consuming elements of implementing your ISMS. It requires an organisation to define a methodology for the consistent evaluation of risk and maintain clear records of each risk, it's assessment and treatment plan.
Furthermore, the records should demonstrate regular reviews over time, and evidence of the treatment that has taken place. This will include which of the Annex A controls you have put in place as part of that treatment and will feed into the creation (and maintenance) of the Statement of Applicability.
It is little wonder that old-fashioned spreadsheet approaches can be complex and difficult to maintain when you go beyond the very basic approaches to risk management (which is required for ISO 27001). It is one of the reasons why organisations now look to software solutions to manage this process.