ISO 27001 Information Security - Clause 6.1 Actions to address risks and opportunities

Actions to address risks and opportunities

So, let's consider how your organization might set about planning actions to address risk and opportunities. Following on from the analysis referred to in article #1 and article #2 in this series, you need to develop strategies to:

• Maintain and build on your Strengths
• Try to correct Weaknesses that might be barriers to meeting requirements and achieving objectives
• Grasp or maximise Opportunities
• Mitigating or managing Threats or Risks

In essence, you should have some form of Action Plan to address the risks and opportunities identified. That may take any form that suits your organization, and many will choose to integrate such actions into a wider Action or Improvement programme.

There will be a need to prioritise resources for action to address the greatest risks and biggest opportunities. Those risks and opportunities that are assessed as being insignificant or of relatively low value may need to wait until resources become available, or you may decide that they do not merit being addressed at all. The activity of determining what risks and opportunities must be prioritised for action is referred to as Risk Assessment.

Risk Assessment

Risk assessment is an essential component of an information security management system. If we can list potential issues and assess the likelihood and consequence of them happening, we can derive a level of risk. We can then use that assessed value to guide us in planning and prioritising our control actions. The general principles are:

• What can cause harm?
• What harm can it cause?
• What is the likelihood of it occurring?
• How severe would the consequences be?
• The result can be described as a risk level

A risk matrix is a great tool to help ascertain a perceived risk level. The assessor selects values of Likelihood and Consequence from the available options on the horizontal and vertical axis. Where these meet on the matrix is the resultant Risk level. The matrix is sometimes described as a "semi-quantitative" method of risk assessment. That means that it is not a fully calculated model (as may be used in say, preparation of an insurance quotation) but a framework to provide an order of values that assist in the risk assessment and ultimately, the decision-making process.

Risk Treatment

Having identified risks and assessed them, the next step is to treat or manage them. Depending on the results of risk assessments, options need to be determined to treat or manage them, and the necessary controls need to be implemented. This is where the famous ISO 27001 Annex A kicks in. Annex A lists controls to be considered and addressed as applicable. In the 2013 edition of the standard, there are 114 controls in 14 domains. They form a major part of any ISMS based on that standard, and Annex A is actually longer than the section containing the regular clauses.

Note: At the time of writing this article, there is an update of ISO 27001 (planned for release in October 2022) which includes a number of changes to the Annex controls. We will be covering those controls in this series.

ISO 31000 Risk management – Guidelines

Another standard that is worth mentioning here is ISO 31000:2018. That provides principles and generic guidelines on managing risks. Therefore, it is very relevant to ISO 27001's clause 6.1 Actions to address risk and opportunities. It can be used by any organization regardless of its size, activity or business sector. While ISO 31000 itself cannot be used for certification purposes, it is often used alongside other certification standards - inlcuding ISO 27001.

SOA (Statement of applicability)

One of the requirements of clause 6.1 Actions to address risk and opportunities is to document an 'SOA (Statement of applicability)' that includes consideration of all the controls listed in Annex A of the standard. It should explain why the control is either considered to be applicable to your ISMS or justify why it is not.

The SOA does not have to be restricted to just the controls in Annex A but may also include reference to other compliance obligations. For example, a company that processes payment card transactions may also refer to compliance with PCIDSS (Payment Card Industry Data Security Standard) requirements.

The SOA may be a standalone document or included in a broader ISMS Overview or framework.

Using software to help address risk

As you can see from the above, this clause requires quite a lot of thought and planning. A risk assessment methodology needs to be adopted, then relevant risks identified, assessed, and categorised. Then actions need to be planned to treat those risks. This is certainly one clause can be addressed much more effectively and efficiently by using software. That can provide a structure and automation to help you really get on top of the requirements.

ISO 27001 InfoSec Toolkit contains a more in-depth explanation of the requirements referred to above. It also includes template documents based on the requirements of clause 6.1 Actions to address risk and opportunities. Those include model SOAs and risk assessment procedures. It is available as part of Qudos 3 IMS software.

In addition to the toolkit,  Qudos 3 IMS software includes dedicated and fully-integrated Risk and Action modules. These provide a great framework for your risk management process, help you get off to a flying start, and then maintain the system much more easily.