Clause – 6

Planning

Overview:

Clause 6 of ISO/IEC 27001:2022 outlines the requirements for planning within an Information Security Management System (ISMS). 

Implementation Guidance :

Actions to address risks and opportunities

  1. Identify the risks and opportunities considering internal and external issues, and requirements of interested parties. This essentially means the inputs of  the understanding the organisation and context should be considered for the risk assessment.
  2. Plan actions to address these risks and opportunities.
  3. Integrate and implement these actions into ISMS processes.
  4. Evaluate the effectiveness of these actions.

Information security risk assessment

  1. Develop and establish an information security risk assessment process.
  2. Identify information security risks.
  3. Analyze these information security risks by assessing potential consequences and likelihood of occurrence.
  4. Evaluate information security risks against established risk criteria.
  5. Document and maintain information about the risk assessment process

Information security risk treatment

  1. An information security risk treatment process shall be defined and established
  2. Appropriate risk treatment options shall be identified and selceted for mitigating the risks
  3. Identify the necessary controls to implement the risk treatment options.
  4. Compare the controls with those in Annex A and ensure that no necessary controls have been omitted.
  5. Produce a Statement of Applicability with the list of necessary controls and justification for inclusions and exclusions.
  6. Develop an information security risk treatment plan.
  7. Obtain risk owners’ approval of the plan and acceptance of residual risks.

 Information security objectives and planning to achieve them

  1. Define and establish information security objectives for relevant function in the organisation
  2. Ensure that the objectives are aligned with the information security policy of the organisation 
  3.  Communicate the objective with the respective stakeholders
  4.  Ensure that the objectives are updated as required
  5.  Maintain the documentation of the information security objectives
  6. Develop a project plan to achieve the objectives. The plan should include: 

The person responsible, the resources required, what needs to be achieved and the timeline for completion

Planning of changes

  1. Any changes to the ISMS should be done in a planner manner
  2. Develop a project plan for implementing the changes
  3. Thet plan should have the details like the list of activities, ownership of the task, timelines and tracking. 

Examples and use cases:

  1. A hospital sets and objectives to train their employees on safeguarding the patient information. They have assigned the responsibility to the information security office and a deadline has been set to achieve the objective.
  2. A  financial institution has identified that phishing attacks has significantly increased targeting their platform and have decided to mitigate the risk by implementing MFA.
  3.  An ITeS organzation has decided to upgrade the current ISO/IEC 27001:2013 version of the standard to the 2022 version. They have developed a project plan with the tasks and milestones identified along with timelines.

Compliance Checklist:

  1. Information Security Risk Assessment Procedure
  2. Information Security Risk Assessment Methodology
  3. Information Security Risk Register
  4. Information Security Risk Treatment Plan
  5. Statement of Applicability
  6. Information Security Objectives & Plan
  7. Change Management Policy and Procedure
  8. Change Request Forms and Approval Records
  9. Management Review Minutes (discussing risks, opportunities, and objectives)
Scroll to Top