ISO 27001 Clause 6.1 Actions to address risks and opportunities

Introduction

As with all ISMS standards, ISO/IEC 27001:2013 addresses the design of actions to manage a wide variety of risks and opportunities. Risk assessment and risk treatment planning are included in this process.

In ISO/IEC 27001, the risk categories are divided into:

– Potential risks and opportunities about the intended outcome(s) of the ISMS;
– Information security risks associated with the loss of confidentiality, data integrity, and data availability within the ISMS.

As far as the first category is concerned, it should be handled according to ISO/IEC 27001:2013 (general). Some risks fall under this category, such as those relating to the ISMS itself, its scope, the commitment of top management to information security, and the resources required to operate an ISMS. Numerous opportunities fall under this category, such as those involving the outcome(s) of an ISMS, its commercial value, its efficiency, or controls related to knowledge security.

The second category of risk is related to the ability of the ISMS to protect data against loss of confidentiality, integrity and availability. Managing these risks should take into account the (information security risk assessment) as well as the (information security risk treatment). For every category, organizations may prefer to use a different technique.

As part of the process of addressing risks, the following requirements are commonly described:

– In particular, if an organization has integrated systems for quality, the environment, and knowledge security, it encourages compatibility with other management system standards;
– It requires the organization to create detailed and comprehensive procedures for assessing and managing information security risks;
– It asserts that information security risk management provides the basis for an ISMS. According to ISO/IEC 27001:2013, it is necessary to ‘determine risks and opportunities and to ‘address those risks and opportunities. The word “determine” resembles the word “assess” used in ISO/IEC 27001:2013 (which means to identify, analyze, and evaluate). Similar to this, the term “address” is often considered similar to the term “treat” as it appears in ISO/IEC 27001:2013.

Organizations that plan for an ISMS take into account issues related to understanding the organization and its context, as well as requirements related to understanding the needs and expectations of stakeholders.

H2: Guidelines for implementation

To determine if a risk or opportunity is relevant to the intended outcome(s) of the ISMS, the organization needs to determine how its internal and external requirements are supported.

Following that, the organization will plan its ISMS to:

– Ensure that the ISMS gives the intended results, such as making sure the danger owners are aware of knowledge security risks and taking appropriate steps to manage them;
Prevent or reduce the unintended effects of risk-sensitive to the ISMS outcome(s);
– Continuously improve, for example, by identifying and correcting weaknesses within the management processes or by taking advantage of new opportunities to increase information security. Clear process and responsibilities, poor employee understanding, and poor management engagement are all connected risks. Risks may be related to poor risk management or a lack of awareness of risks. Among the risks is poor management of documents and processes in the ISMS.

The activities of an organization, if pursued, then impact the organization’s context (ISO/IEC 27001:2013) or the expectations of its stakeholders (ISO/IEC 27001:2013), which may alter the organization’s risks.

There are many opportunities such as:

The business can concentrate on one or more products or services, establish marketing strategies in some countries, or partner with other organizations to expand its reach. There are opportunities for continual improvement of ISMS processes and documentation, as well as evaluation of the intended outcomes. A relatively new ISMS, for example, often presents its own set of opportunities for simplifying processes, reducing administrative overhead, eliminating procedures that are not cost-effective, and improving documentation and introducing new technologies.

Planning includes determining:

– Actions to address risks and opportunities;
– The process for integrating and implementing these actions into ISMS;
– Evaluate how effective the actions were.

An organization should:

1. Identify the risks and opportunities that will affect the achievement of the objectives, based on the difficulties mentioned in properly understanding the organization and its context, as well as the considerations mentioned in understanding the needs and expectations of stakeholders;
2. Develop a plan for implementing the determined actions and measuring their effectiveness;

Integrating existing documents and processes with data security should be considered when planning actions. Actions taken to meet information security objectives provide an assessment and treatment of knowledge security risks. As part of the general requirement to continuously improve the ISMS outlined in ISO/IEC 27001:2013, 10.2 refers to achieving continuous improvement as given to 6.1.1 and other relevant provisions of ISO/IEC 27001:2013). Different actions may be needed on a strategic, tactical, or operational level, for different sites, or different systems.

Two of the most common approaches are:

– Preparing, implementing, executing, and administering the ISMS independently of the ISMS security risk;
– Considering all risks at once.

If an organization wants to integrate an ISMS into their existing business planning methodology, they might find that their existing management system can meet their needs. The method should be verified to ensure it covers all the general’s wants if this is often the case. To ensure the effectiveness of an organization’s management system, there must be a written record of the activity and its outcome.