ISO 27001 clause 6 is called “Planning” — this cause defines requirements for risk assessment, risk treatment, Statement of Applicability, Risk Treatment Plan, and setting the information security objectives.
This clause is important because it defines core concepts in information security management — risk management, and achieving security objectives.
Clause 6 has three sub-clauses:
- Clause 6.1 — Actions to address risks and opportunities — it requires companies to manage risks and opportunities relevant to the context of the organization and the needs and expectations of interested parties, as a way to ensure that the ISMS can achieve its objectives, prevent or mitigate undesired consequences, and continually improve; managing risks is performed through risk assessment and treatment.
- Clause 6.2 — Information security objectives and planning to achieve them — it requires establishing measurable information security objectives and defining the plan on how to achieve them.
- Clause 6.3 — Planning of changes — it requires any change in the ISMS to be done in a planned manner.
