ISO/IEC 27001:2022
Clause 6: Planning

Key Requirements:

  • Adding risk-based thinking and management to planning
  • Establishing quality objectives and how they will be achieved
  • Planning actions when changes to the ISMS are made
  • Updating the ISMS based on measuring ongoing effectiveness and any newly discovered risks or opportunities

Clause 6 is broken down into two subclauses: 6.1 Actions to Address Risks and Opportunities and 6.2 Information Security Objectives and Planning to Achieve Them

Clause 6.1: Actions to Address Risks and Opportunities

Risk management is a crucial part of the ISO 27001:2022 standard and it is important to be thorough and intentional when identifying risks and opportunities. When working to address these two components it’s imperative to document with clarity and demonstrate how you handle risk under ISO 27001. These two things are essential for the auditor to see when seeking certification to ISO 27001:2022 and running a successful information security management system. 

6.2 Information Security Objectives and Planning to Achieve Them

In essence, subclause 6.2 allows your organization to measure its ISMS and understand if it is working as intended. At this point, your organization should clearly understand the organization and its context (4.1), determine the requirements of interested parties (4.2) , establish the scope of the ISMS (4.3) and have started to address risks and opportunities (6.1). 

When implementing 6.2, carefully develop objectives that are meaningful – not just measurable. If your organization is already measuring and monitoring your objectives, consider what you are already doing, where you would like to improve and what will add value to your interested parties. This will help you achieve not only numbers but add value to your organization.

Please note that certain text from the ISO 27001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.


Our All-in-One Certification Package is a proven, efficient system. It gives you all you need to prepare for certification – in one simple to use package.

Customer Review:

"I have just passed my Audit with zero non-conformances for the second year in a row using your ISO products to write my entire QMS. Thank you for producing documents of this quality"

Bettye Patrick

Buy the Standard

27001 Store Logo  ISO 27001:2022