When it comes to ISO 27001, Clause 6.1 is where the action begins. This is the point in the standard where you stop talking about security in the abstract and start planning how to actually tackle risks and seize opportunities.
It’s part of the Planning section (Clause 6), and it breaks down into three parts:
- 6.1.1 General – linking your risk planning back to the context of your organisation and the needs of your stakeholders.
- 6.1.2 Information Security Risk Assessment – defining how you’ll identify, assess, and prioritise risks.
- 6.1.3 Information Security Risk Treatment – deciding what you’ll do about them.
Understanding these clauses — and how they link with Clause 8 (Operation) — is key to building a practical, responsive information security management system.
Planning vs. Doing
Think of Clause 6 as your blueprint stage. Here, you’re designing the process:
- What’s your risk appetite?
- How will you rate risks consistently?
- What criteria will trigger a new assessment?
When you get to Clause 8, you take those plans and put them into action — conducting the actual risk assessments (8.2) and implementing your treatments (8.3).
But it’s not a one-way journey. You’ll often bounce back and forth between planning and doing. Maybe you discover a new vulnerability while implementing controls — you’ll need to loop back to Clause 6, update your plan, and then push forward again.
From Big Picture to Fine Detail
Early on, many organisations keep their risk registers fairly high level:
“There’s a risk of a data breach.”
That’s fine for a start. But as your system matures, you dig deeper:
“In System X, unpatched software could allow unauthorised access.”
Clause 6.1.2 pushes you to create a repeatable risk assessment process — one that produces consistent, comparable results every time. This often involves tools like a risk matrix (likelihood vs. impact), qualitative or quantitative ratings, and clear ownership of each risk.
The Role of Risk Appetite and Criteria
Your top management will decide how much risk is acceptable — your risk appetite — and how to measure it. ISO 27001 doesn’t prescribe exact numbers, but it expects you to define your own consistent criteria.
Typical triggers for a risk assessment might include:
- A significant change in operations or technology
- Discovery of a major vulnerability
- Regular planned intervals (e.g., every 6 or 12 months)
The point is to avoid “winging it” — the process should be documented, structured, and repeatable.
Risk Treatment and Annex A
Once you’ve assessed the risks, Clause 6.1.3 is about choosing how to treat them. This is where Annex A comes in — the list of 93 possible controls you can apply. You won’t need them all, but for each control you use (or don’t use), you must document a Statement of Applicability explaining why.
For example:
- Included: “We’ve applied encryption controls to meet legal and contractual requirements.”
- Excluded: “We don’t develop software in-house, so secure coding controls are not applicable.”
Real-World Benefits: Even for Insurance
Here’s a bonus: a well-implemented ISO 27001 system can even influence your cyber insurance premiums. Insurers want assurance that you’ve identified and addressed your risks. Certification — backed by independent audits — can demonstrate that you’re a lower risk, which in some cases has led to reduced or stabilised premiums despite rising market rates.
Don’t Forget the Evidence
ISO 27001 is clear. You must retain documented information for both your risk assessments and treatments. That usually means:
- A documented risk assessment process
- A risk register with owners, ratings, and CIA (Confidentiality, Integrity, Availability) impacts
- Risk treatment plans linked to controls in Annex A
Auditors will expect to see this evidence, whether it’s in spreadsheets, GRC systems, or formal documents.
Why Clause 6.1 Matters
Clause 6.1 is more than a checklist item. It’s the engine that drives the rest of your information security management system. The risks you identify here will shape your controls, your operational actions, and even your incident response.
Get this stage right, and the rest of your ISO 27001 journey will be smoother, more focused, and more effective.
/27001%20Lead.jpg?width=700&name=27001%20Lead.jpg)
Lead Auditor Information Security Management Systems
AU$1,895.00In today’s digital world, information security is non-negotiable. Organizations are seeking professionals who can safeguard sensitive data, ensure compliance, and maintain robust systems. This course offers more than just theory — it delivers practical, audit-ready skills you can immediately apply in real-world scenarios.
Next Steps to Apply Clause 6.1 in Your Organization
- Review your context and stakeholders – Make sure you understand what’s at stake before defining risks.
- Define clear risk criteria – Establish your appetite, tolerance, and triggers.
- Document your process – So you can repeat it consistently and compare results over time.
- Link to Annex A – Select and justify the controls that make sense for your environment.
