What does Clause 6.1 involve?
Documenting with clarity in the description, then demonstrating how you handle risk under ISO 27001 is essential for an independent certification for ISO 27001 and the running of a successful information security management system (ISMS).
Clause 6.1.1 – General aspects in planning around risk for ISO 27001
At this point, you should be looking back to your earlier work in sections 4 and 5 – in particular, 4.1, 4.2, 4.3 and section 5 of ISO 27001. This will help you determine the risks and opportunities that need to be addressed from your earlier issues, interested parties and scope in order to:
- ensure the information security management system can achieve the intended outcomes
- ‘prevent, or reduce the undesired effects’
- ‘achieve continual improvement’.
The organisation must have plans in place that cover the actions it will take to identify, assess and treat these risks and opportunities and how it will integrate and implement those actions into its information security management system processes. This should include how they will evaluate the effectiveness of these actions and monitor them over time.
Quite simply this means documenting the process for risk identification, assessment and treatment, then showing that is working in practice with management of each risk, ideally to show it is being tolerated (e.g. after Annex A controls have been applied), terminated or perhaps transferred to other parties.
ISO 27001 breaks this requirement towards risk management down into more depth as well. In addition there are other risk oriented standards like ISO 31000 to learn from, where the principles for ISO 27001 risk planning have stemmed from.
Clause 6.1.2 – Information security risk assessment for ISO 27001
The ISO 27001 standard requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria. It also stipulates that any assessments should be consistent, valid and produce ‘comparable results.’
That means clearly describing the approach being taken and means producing a risk methodology – we’ve written more about developing that here.
Organisations must apply the assessment processes to identify risks associated with the confidentiality, integrity, and availability (CIA) of the information assets within the defined scope of the ISMS.
Most ISO certified auditors will expect that methodology to go beyond simple likelihood and impact descriptions, to also explain what happens (say) when a conflict occurs between one risk (e.g. availability based) and another (e.g. confidentiality based).
Risks need to be assigned to risk owners within the organisation who will determine the level of risk, assess the potential consequences should the risk materialise, together with ‘realistic likelihood of the occurrence of the risk’.
Once evaluated the risk must be prioritised for risk treatment and then managed in accordance with the documented methodology.
Clause 6.1.3 – Information security risk treatment for ISO 27001
You are expected to select appropriate risk treatment options based on the risk assessment results e.g. treat with Annex A controls, terminate, transfer or perhaps treat in another way. The ISO 27001 standard notes that Annex A also includes the control objectives but that the controls listed are ‘not exhaustive’ and additional controls may be needed.
Typically the Annex A controls are used alone in smaller organisations although it is acceptable to design or identify the controls from any source. In that way, managing multiple security standards could mean you apply controls, for example, from other standards such as NIST or SOC2 following the Trust Services Criteria principles.
If being audited by an independent auditor for ISO 27001, it makes a lot of sense to focus on the Annex A controls as they will know those well.
If needing to meet specific standards for a customer e.g. DSPT for Health in the UK NHS, it makes sense to also map the risk treatment to those as well and give the customer confidence that your information assurance is robust and meets their interests too.
Assigned risk owners manage their risk treatment plans (or delegate to people to do it for them) and will ultimately make the decision to accept any residual information security risks – after all it does not make sense to always terminate transfer or continue to invest in management of a risk.
It is necessary to produce a Statement of Applicability that contains the controls the organisation has deemed necessary together with the justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.
This is a pretty significant job (massively simplified and automated by ISMS.online) that demonstrates that the organisation has looked carefully at all the areas around those controls that ISO 27001 deems to be important.
Understanding the Statement of Applicability for ISO 27001
The Statement of Applicability (SOA) contains the necessary controls as mentioned above and the justification for their inclusion or exclusion. It is great for internal management and for sharing with relevant interested parties. This along with the security policy, scope and certificate (if achieved) will give them a better understanding of where their interests and concerns might be in your information security management system.
How to achieve Clause 6.1
Typically, planning how you will identify, evaluate and treat risks, to meet the requirements above, is one of the more time-consuming elements of implementing your ISMS. It requires an organisation to define a methodology for the consistent evaluation of risk and maintain clear records of each risk, it’s assessment and treatment plan.
Furthermore, the records should demonstrate regular reviews over time, and evidence of the treatment that has taken place. This will include which of the Annex A controls you have put in place as part of that treatment and will feed into the creation (and maintenance) of the Statement of Applicability.
It is little wonder that old-fashioned spreadsheet approaches can be complex and difficult to maintain when you go beyond the very basic approaches to risk management (which is required for ISO 27001). It is one of the reasons why organisations now look to software solutions to manage this process.
Make it simpler with ISMS.online
The ISMS.online platform includes a risk management policy, methodology, and a pre-configured information security risk management tool. We also include a bank of common information security risks that can be drawn down, together with the suggested Annex A controls, saving you weeks of work.
Joining this up in one integrated solution to help you achieve, maintain and improve your entire ISMS makes perfect sense. After all, why waste time trying to build it yourself when there is already a purpose-built solution?
Compliance doesn’t have to be complicated.
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.