When it comes to ISO 27001, Clause 6.1 is where the action begins. This is the point in the standard where you stop talking about security in the abstract and start planning how to actually tackle risks and seize opportunities.
It’s part of the Planning section (Clause 6), and it breaks down into three parts:
Understanding these clauses — and how they link with Clause 8 (Operation) — is key to building a practical, responsive information security management system.
Think of Clause 6 as your blueprint stage. Here, you’re designing the process:
When you get to Clause 8, you take those plans and put them into action — conducting the actual risk assessments (8.2) and implementing your treatments (8.3).
But it’s not a one-way journey. You’ll often bounce back and forth between planning and doing. Maybe you discover a new vulnerability while implementing controls — you’ll need to loop back to Clause 6, update your plan, and then push forward again.
Early on, many organisations keep their risk registers fairly high level:
“There’s a risk of a data breach.”
That’s fine for a start. But as your system matures, you dig deeper:
“In System X, unpatched software could allow unauthorised access.”
Clause 6.1.2 pushes you to create a repeatable risk assessment process — one that produces consistent, comparable results every time. This often involves tools like a risk matrix (likelihood vs. impact), qualitative or quantitative ratings, and clear ownership of each risk.
Your top management will decide how much risk is acceptable — your risk appetite — and how to measure it. ISO 27001 doesn’t prescribe exact numbers, but it expects you to define your own consistent criteria.
The point is to avoid “winging it” — the process should be documented, structured, and repeatable.
Once you’ve assessed the risks, Clause 6.1.3 is about choosing how to treat them. This is where Annex A comes in — the list of 93 possible controls you can apply. You won’t need them all, but for each control you use (or don’t use), you must document a Statement of Applicability explaining why.
For example:
Here’s a bonus: a well-implemented ISO 27001 system can even influence your cyber insurance premiums. Insurers want assurance that you’ve identified and addressed your risks. Certification — backed by independent audits — can demonstrate that you’re a lower risk, which in some cases has led to reduced or stabilised premiums despite rising market rates.
ISO 27001 is clear. You must retain documented information for both your risk assessments and treatments. That usually means:
Auditors will expect to see this evidence, whether it’s in spreadsheets, GRC systems, or formal documents.
Clause 6.1 is more than a checklist item. It’s the engine that drives the rest of your information security management system. The risks you identify here will shape your controls, your operational actions, and even your incident response.
Get this stage right, and the rest of your ISO 27001 journey will be smoother, more focused, and more effective.