Clause 6: Planning
- Adding risk-based thinking and management to planning
- Establishing quality objectives and how they will be achieved
- Planning actions when changes to the ISMS are made
- Updating the ISMS based on measuring ongoing effectiveness and any newly discovered risks or opportunities
Clause 6 is broken down into two subclauses: 6.1 Actions to Address Risks and Opportunities and 6.2 Information Security Objectives and Planning to Achieve Them
Clause 6.1: Actions to Address Risks and Opportunities
Risk management is a crucial part of the ISO 27001:2022 standard and it is important to be thorough and intentional when identifying risks and opportunities. When working to address these two components it’s imperative to document with clarity and demonstrate how you handle risk under ISO 27001. These two things are essential for the auditor to see when seeking certification to ISO 27001:2022 and running a successful information security management system.
6.2 Information Security Objectives and Planning to Achieve Them
In essence, subclause 6.2 allows your organization to measure its ISMS and understand if it is working as intended. At this point, your organization should clearly understand the organization and its context (4.1), determine the requirements of interested parties (4.2) , establish the scope of the ISMS (4.3) and have started to address risks and opportunities (6.1).
When implementing 6.2, carefully develop objectives that are meaningful – not just measurable. If your organization is already measuring and monitoring your objectives, consider what you are already doing, where you would like to improve and what will add value to your interested parties. This will help you achieve not only numbers but add value to your organization.
Please note that certain text from the ISO 27001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.