ISO 27001 clause 6.1 Actions to address risks and opportunities

The basics

ISO 27001 sub-clause 6.1 is called “Actions to address risks and opportunities” — it requires companies to manage risks and opportunities relevant to the context of the organization and the needs and expectations of interested parties, as a way to ensure that the ISMS can achieve its objectives, prevent or mitigate undesired consequences, and continually improve; managing risks is performed through risk assessment and treatment.

Clause 6.1 is further divided in 3 sub-clauses:

• 6.1.1 called “General” – it provides generic requirements for identifying risks and opportunities.
• 6.1.2 called “Information security risk assessment” — it requires organizations to define and apply an information security risk assessment process. This process must include criteria for accepting information security risks, as well as criteria to perform risk assessment, so repeated assessments produce consistent, valid, and comparable results. The risk assessment process must include risk identification, analysis, and evaluation.
• 6.1.3 called “Information security risk treatment” — it requires organizations to define and apply an information security risk treatment process to select proper risk treatment options and controls. The selected controls must consider the controls described in Annex A, but they can also include some other controls. The main results of the risk treatment process are the Statement of Applicability, and the Tisk Treatment Plan, which must be approved by the risk owners.

Documentation

ISO 27001 clause 6.1 Actions to address risks and opportunities requires writing the following documents:

• Risk Assessment and Treatment Methodology
• List of risks
• For each unacceptable risk – the definition of risk treatment options and related security controls
• Statement of Applicability
• Risk Treatment Plan
• Approval from risk owners

The following documents are not mandatory, companies can decide whether to write them:

• Guidelines on performing risk assessment

Implementation

To comply with clause 6.1 Actions to address risks and opportunities, the optimal way is to complete risk assessment and treatment by following these steps:

1. Write the Risk assessment and treatment methodology. (You define how to perform the whole process).
2. Perform the risk assessment. (You find out which risks exist, how serious they are, and then determine the unacceptable risks.)
3. Perform the risk treatment. (For unacceptable risks, you define how to handle those risks.)
4. Write the Statement of Applicability (SoA). (You list all the controls that are going to be used to decrease those unacceptable risks.)
5. Write the Risk Treatment Plan. (Define when and by whom the controls will be implemented.)

Audit evidence

During the audit, an auditor might ask for the following evidence regarding ISO 27001 clause 6.1 Actions to address risks and opportunities:

1. The risk assessment methodology.
2. The report about the performed risk assessment and treatment, together with the list of all the risks.
3. If each risk has impact, likelihood, level of risk, and risk owner listed, and whether it is considered acceptable.
4. If each unacceptable risk has been treated with at least one option; if the option is decreasing the risk, then the risk needs to have appropriate controls selected.
5. If the selected controls are marked as applicable in the Statement of Applicability.
6. If you have planned the implementation of your controls through the Risk Treatment Plan.
7. If the risk owners have accepted the Risk Treatment Plan and the residual risks.