ISO 27001 Information Security - Clause 6.1 Actions to address risks and opportunities
1 June 2022 - ISO 27001 Information Security in plain English - Blog post #8.
ISO 27001 - Clause 6.1 Actions to address risks and opportunities really follows on from where clauses 4. and 4.2 left off. Having understood the context of the organization and discovered the requirements of interested parties, an organization needs to plan how to address the risks and opportunities that face it.
ISO 27001 Information Security in plain English
Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard. However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.
Actions to address risks and opportunities
So, let's consider how your organization might set about planning actions to address risk and opportunities. Following on from the analysis referred to in article #1 and article #2 in this series, you need to develop strategies to:
- Maintain and build on your Strengths
- Try to correct Weaknesses that might be barriers to meeting requirements and achieving objectives
- Grasp or maximise Opportunities
- Mitigating or managing Threats or Risks
In essence, you should have some form of Action Plan to address the risks and opportunities identified. That may take any form that suits your organization, and many will choose to integrate such actions into a wider Action or Improvement programme.
There will be a need to prioritise resources for action to address the greatest risks and biggest opportunities. Those risks and opportunities that are assessed as being insignificant or of relatively low value may need to wait until resources become available, or you may decide that they do not merit being addressed at all. The activity of determining what risks and opportunities must be prioritised for action is referred to as Risk Assessment.
Risk assessment is an essential component of an information security management system. If we can list potential issues and assess the likelihood and consequence of them happening, we can derive a level of risk. We can then use that assessed value to guide us in planning and prioritising our control actions. The general principles are:
- What can cause harm?
- What harm can it cause?
- What is the likelihood of it occurring?
- How severe would the consequences be?
- The result can be described as a risk level
A risk matrix is a great tool to help ascertain a perceived risk level. The assessor selects values of Likelihood and Consequence from the available options on the horizontal and vertical axis. Where these meet on the matrix is the resultant Risk level. The matrix is sometimes described as a "semi-quantitative" method of risk assessment. That means that it is not a fully calculated model (as may be used in say, preparation of an insurance quotation) but a framework to provide an order of values that assist in the risk assessment and ultimately, the decision-making process.
Having identified risks and assessed them, the next step is to treat or manage them. Depending on the results of risk assessments, options need to be determined to treat or manage them, and the necessary controls need to be implemented. This is where the famous ISO 27001 Annex A kicks in. Annex A lists controls to be considered and addressed as applicable. In the 2013 edition of the standard, there are 114 controls in 14 domains. They form a major part of any ISMS based on that standard, and Annex A is actually longer than the section containing the regular clauses.
Note: At the time of writing this article, there is an update of ISO 27001 (planned for release in October 2022) which includes a number of changes to the Annex controls. We will be covering those controls in this series.
ISO 31000 Risk management – Guidelines
Another standard that is worth mentioning here is ISO 31000:2018. That provides principles and generic guidelines on managing risks. Therefore, it is very relevant to ISO 27001's clause 6.1 Actions to address risk and opportunities. It can be used by any organization regardless of its size, activity or business sector. While ISO 31000 itself cannot be used for certification purposes, it is often used alongside other certification standards - inlcuding ISO 27001.
SOA (Statement of applicability)
One of the requirements of clause 6.1 Actions to address risk and opportunities is to document an 'SOA (Statement of applicability)' that includes consideration of all the controls listed in Annex A of the standard. It should explain why the control is either considered to be applicable to your ISMS or justify why it is not.
The SOA does not have to be restricted to just the controls in Annex A but may also include reference to other compliance obligations. For example, a company that processes payment card transactions may also refer to compliance with PCIDSS (Payment Card Industry Data Security Standard) requirements.
The SOA may be a standalone document or included in a broader ISMS Overview or framework.
Using software to help address risk
As you can see from the above, this clause requires quite a lot of thought and planning. A risk assessment methodology needs to be adopted, then relevant risks identified, assessed, and categorised. Then actions need to be planned to treat those risks. This is certainly one clause can be addressed much more effectively and efficiently by using software. That can provide a structure and automation to help you really get on top of the requirements.
ISO 27001 InfoSec Toolkit contains a more in-depth explanation of the requirements referred to above. It also includes template documents based on the requirements of clause 6.1 Actions to address risk and opportunities. Those include model SOAs and risk assessment procedures. It is available as part of Qudos 3 IMS software.
In addition to the toolkit, Qudos 3 IMS software includes dedicated and fully-integrated Risk and Action modules. These provide a great framework for your risk management process, help you get off to a flying start, and then maintain the system much more easily.
About the series 'ISO 27001 Information Security in plain English'
This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.
This blog series began with an introductory webinar. A copy of the slide deck is available for you here:
Click the LinkedIn Follow button below to receive notifications.
There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.
Ready to start your journey to ISO 27001?
The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.
Contact us today to discuss your needs!