Clause 6: Planning

Overview

Clause 6 is often considered the heart of ISO 27001. It requires you to take a risk-based approach to information security — identifying what could go wrong, assessing how likely and impactful those risks are, and then deciding how to treat them. This clause also requires you to produce the Statement of Applicability (SoA) and set measurable security objectives.

6.1.1 General — Addressing Risks and Opportunities

When planning the ISMS, you must consider the issues from Clause 4.1 and the requirements from Clause 4.2, and determine the risks and opportunities that need to be addressed. The aim is to ensure the ISMS can achieve its intended outcomes, prevent or reduce undesired effects, and achieve continual improvement.

6.1.2 Information Security Risk Assessment

You must define and apply an information security risk assessment process that:

1. Establishes risk criteria — define your risk acceptance criteria and criteria for performing risk assessments (likelihood and consequence scales).
2. Identifies risks — apply the risk assessment process to identify risks associated with the loss of confidentiality, integrity, and availability of information within the ISMS scope.
3. Analyses risks — assess the realistic likelihood of each risk occurring and the potential consequences.
4. Evaluates risks — compare the results against your risk criteria and prioritise risks for treatment.

6.1.3 Information Security Risk Treatment

For each risk identified, you must select appropriate treatment options:

• Mitigate — apply controls to reduce the likelihood or consequence.
• Transfer — share the risk with a third party (e.g. cyber insurance).
• Avoid — change plans to eliminate the risk entirely.
• Accept — acknowledge the risk and monitor it without further action.

You must then determine all controls necessary to implement the chosen risk treatment options and compare them against Annex A to ensure no necessary controls are overlooked. The result is the Statement of Applicability (SoA), which lists all 93 Annex A controls with justification for their inclusion or exclusion.

6.2 Information Security Objectives

You must establish information security objectives at relevant functions and levels. Objectives should be consistent with the information security policy, measurable (where practicable), take into account applicable requirements and risk assessment results, and be monitored and communicated.

Examples of objectives include: reduce the number of security incidents by 20% year-on-year, achieve 95% staff completion of security awareness training, or maintain system uptime above 99.5%.

How Standardise Helps

• Risk Register — create, assess, and track risks with a 5x5 likelihood-consequence matrix. Each risk has an owner, treatment plan, and status. The visual heat map gives instant visibility into your risk landscape.
• Statement of Applicability — all 93 Annex A controls are pre-loaded and categorised. For each control, record its applicability, implementation status, and justification. Export the SoA as CSV for auditor review.
• Risk Treatment Plan template — a document template for formally documenting your risk treatment decisions and tracking implementation progress.
• Information Security Objectives template — define and track measurable objectives within the Compliance module.