ISO 27001 Clause 6.1.1

Clause 6.1.1 of the ISO 27001 standard provides general guidance on planning risk management. In planning for risk management, the context of the organization and related organizational issues must be comprehended. For example, issues might include lack of management support, lack of expertise in risk assessment, lack of resources, or lack of a security focused culture. These will all drive the overall risk assessment plan. The risk management goals are: Can this ISMS achieve the intended outcomes? Can it prevent and reduce undesired effects? Can it achieve continual improvement? The organization must have plans in place to identify, assess, and treat risks. Quite simply, this means documenting the processes for risk identification, assessment, and treatment. But also showing that it’s working in practice. 

Related Videos