Resources
Everything you need to know
Company
Security and customers first
Close

Request a demo

Find out today the difference that Hicomply’s unique solution can make to your business.

Close

Thank you for your request

Success

In the meantime, connect with Hicomply for insights on authentication and fraud prevention

Close

ROI Calculator

See how much you could save with Hicomply

Hicomply feature Yearly saving
Automated scoping Easily scope your ISMS with the Hicomply platform
Asset register autogeneration A shorter learning curve for organisations and a simplified process
Risk assessment Autogenerate your risk register and risk treatment plan
Extended policy templates 90% of the essential are already written out of the box
Controls framework All controls are pre-loaded and already linked to the risks they mitigate
Task management Automate all actions, administration and setup time of your ISMS
Real time monitoring Understand status and progress across your ISMS with the Hicomply dashboard
Compliance & Training Your whole team, on the same page
Audit readiness Hicomply makes sure you have everything in place for your audit
Auditor access Give auditors a dedicated login to access and audit your ISM
Back to Resource Hub

ISO 27001 Clause 6.1: Actions To Address Risk And Opportunity

6.1.1 General

­This clause requires the organisation to plan a course of action to tackle the risk and opportunities discussed in clause 4.1 the context of the organisation and clause 4.2 needs and expectations of interested parties in a way that the ISMS:

  • can achieve its intended outcomes.
  • reduces the chance of undesirable events; and
  • continually improves

The organisation must plan an action to identify and treat these risks and opportunities and integrate these actions in the ISMS and evaluate the results over time.

6.1.2 Information security risk assessment

Risk assessment is done by determining threats and vulnerabilities in the organisation and assigning a level of impact of each risk. The organisation must come up with a process to assess information security risk and apply that process in a way that establishes criteria for the assessment. These criteria broadly include the overall risk acceptance criteria the specific information security risk assessment. Risk assessment is the most complex as well as most important part of the standard, as it provides a foundation for the information security policy of the organisation. The risk assessment process must be conducted at planned intervals to produce consistent, valid and comparable results.

When such process is approved by the management, the process shall be applied to identify threats and associated vulnerabilities that can lead to loss of confidentiality, integrity or availability of the information that needs to be secured in the context of ISMS. The organisation must identify risk owners related to these risks. Risk owners are the individual or authorities appointed by the management to manage a particular risk. These persons are interested in managing that risk and have authority to do something about that.

Analysis of the identified risks is the next step in the assessment. This analysis attempts to determine the potential consequences of the identified risks if they materialize, for example, risk can impact the financial position or the reputation of the company. This assessment can be quantitative and/or qualitative depending upon the type of risks. The organisation must assess the realistic possibility of occurrence of these risks (probability). For example, a data leak can occur regularly, but a natural calamity has a low probability of happening.

These risks must be scaled to different levels according to their probability and must be ranked according to the level of the risk determined by the organisation as per the organisational impact.

After the identification and assessment of the different risks, the results must be compared with the criteria defined earlier by the organisation. The organisation has then prioritized these risks for risk treatment depending upon the level assigned to the risk and urgency for treatment. There may be several high rated risks which the organisation must prioritise and decide the order in which these risks should be treated.

The organisation must keep all the information regarding the information security risk assessment process, all the steps company has taken during the process, in a documented form.

6.1.3 Information security risk treatment

Risk assessment is done to determine threats and vulnerabilities in information security and to find the best possible treatment for the identified risks to guide the organisation to allocate optimum resources for the treatment. For each risk assessment report, a strategy must be constructed to enable each risk individually to deal with the risks at affordable cost.

These treatment processes need to be implemented ideally by implementing at least controls provided in the Annexure A of the ISO standard. The organisation must decide which controls are needed to properly implement these treatment options and can design their own set of controls or can adopt from any other source as required by the treatment.

The third step is to compare the controls implemented for the treatment and the controls provided in the Annexure A of the standard. Annex A comes with a comprehensive list of controls but in general, all the controls are not needed to be implemented but only those required by the treatment. This step determines if any necessary control is overlooked or omitted in the process. The controls in Annex A are not exhaustive, any control or control objective required by the treatment can be added.

The next step requires a statement of applicability. The statement of applicability must contain all the controls whether they are implemented or not with a justification for inclusion or exclusion from the process. The controls for the statement of applicability relies mainly on Annex A but if there is a custom control implemented in the process it should be included in the statement of applicability.

With the information gathered from the above steps, the organisation must formulate the most suitable information security risk treatment plan. Successful formulation of the plan can increase the chances of success of the risk treatment. The newly formulated plan must be approved by the risk owner and an acceptance of residual information security risks.

More Resource Hub

ISO27001
SOC 2 Policies and Procedures
ISO27001
What Is The NHS Data Security and Protection…
ISO27001
Whitepaper | How To Choose The Best Information…