ISO/IEC 27001 Clause 6 – Risk Management & Planning
ISO/IEC 27001 Clause 6 – Risk Management & Planning
Last Updated on September 23, 2025 by Melissa Lazaro
Introduction: ISO/IEC 27001 Clause 6 – Risk Management & Planning
If there’s one area where ISO/IEC 27001 really separates the prepared from the unprepared, it’s Clause 6 – Risk Management & Planning. This is where organizations often stumble, because “risk” sounds technical, abstract, and complicated. Some overcomplicate it with endless scoring models; others oversimplify it by copying a generic risk register they found online. Both approaches miss the point.
Here’s what I’ve noticed in practice: companies that get Clause 6 right don’t just satisfy auditors—they actually improve resilience and decision-making. Why? Because they’re aligning their information security risks and objectives with the real-world context of their business. Instead of reacting to problems, they plan ahead.
Clause 6 matters because it sets the direction for everything that follows in your ISMS. If you don’t define risks properly, your treatment plan and objectives won’t hold up. But if you do, you end up with a system that’s practical, focused, and much easier to improve over time.
By the end of this article, you’ll understand:
-
Why risk-based planning is at the core of ISO/IEC 27001.
-
How to conduct a risk assessment and treatment that auditors will trust.
-
What effective ISMS objectives look like in practice.
-
The pitfalls that cause most organizations to trip up—and how you can avoid them.
Now that we’ve set the stage, let’s dig into Clause 6.1 and why risk-based thinking is the backbone of ISO/IEC 27001.
ISO/IEC 27001 Clause 6.1 – Why Risk-Based Planning Matters
Clause 6.1 is where ISO/IEC 27001 really shows its teeth. The standard isn’t about throwing controls at problems randomly—it’s about using risk-based planning to decide where to focus effort, money, and resources.
In simple terms: if you don’t know your risks, you don’t know what to protect or how. That’s why Clause 6.1 tells you to look at both risks (things that could harm your ISMS) and opportunities (ways to strengthen it). Most organizations naturally focus on threats—like data breaches, system outages, or supplier failures. But they often forget opportunities, like using strong security to win new clients or boost trust with existing ones.
I’ve seen companies treat risk assessment as a one-off “audit requirement.” They run a workshop, produce a spreadsheet, and file it away until the next certification cycle. The problem? Their ISMS stays static while their environment changes. New technologies, new regulations, and new threats emerge, but the risk register doesn’t move. Auditors catch this quickly.
Here’s a real example: one client, a logistics company, identified “cyberattacks” as a top risk—pretty standard. But when we dug deeper, their real exposure came from supply chain disruptions. A ransomware hit on a supplier could cripple their operations. By capturing that in Clause 6.1 and planning for it, they built redundancy into their supplier network and saved themselves from major downtime later on.
The takeaway is simple: Clause 6.1 isn’t paperwork—it’s the backbone of your ISMS. Done right, it turns your security plan from reactive firefighting into proactive risk management.
ISO/IEC 27001 Clause 6.1.2 – Information Security Risk Assessment Process
Clause 6.1.2 takes the big idea of “risk-based planning” and makes it concrete: you need a defined, repeatable process for assessing information security risks. Auditors don’t just want to see a risk register; they want to see how you got there.
A strong risk assessment process should cover:
-
Criteria for risk evaluation – How will you decide if a risk is acceptable or not?
-
Methodology – Will you use qualitative scoring (low/medium/high), quantitative values, or a hybrid?
-
Consistency – Everyone in the organization should apply the same method, so results are comparable.
-
Documentation – The process itself needs to be documented, not just the results.
Where companies slip up is by treating risk assessment like a brainstorming session with no structure. I’ve seen organizations create lists of risks with no scoring, no prioritization, and no clear rules for acceptance. When an auditor asks, “How do you know this risk is acceptable?”—they can’t answer.
Here’s what works in practice:
-
Define a risk matrix with likelihood on one axis and impact on the other.
-
Score each risk according to the agreed criteria.
-
Prioritize risks that fall into the high-impact/high-likelihood zone.
For example, a financial services company I worked with scored the risk of phishing attacks as “high likelihood, high impact.” That placed it in the critical zone, which justified investment in training and email filtering. Lower risks, like occasional printer downtime, were accepted as tolerable.
The strength of Clause 6.1.2 lies in its structure. When your risk assessment process is clear, repeatable, and documented, you avoid arguments, guesswork, and audit findings.
ISO/IEC 27001 Clause 6.1.3 – Information Security Risk Treatment
Once you’ve identified and assessed risks under Clause 6.1.2, the next step is deciding how to deal with them. Clause 6.1.3 requires you to define a risk treatment plan that clearly shows which option you’ve chosen for each risk and why.
In practice, you have four main choices:
| Treatment Option | What It Means | Example in Practice |
|---|---|---|
| Avoid | Stop the activity causing the risk. | A company discontinues use of an outdated payment system that exposes customer data. |
| Transfer | Shift the risk to another party. | Purchasing cyber insurance, or outsourcing hosting to a cloud provider with stronger security. |
| Mitigate | Apply controls to reduce likelihood/impact. | Implementing multi-factor authentication to lower the chance of account breaches. |
| Accept | Tolerate the risk if it’s within criteria. | Accepting the minor risk of short printer outages because business impact is negligible. |
A common mistake is picking controls directly from Annex A without showing how they link back to risks. Auditors want to see the logic: which risk is being treated, how, and why this option is the right fit.
For example, a fintech firm I worked with identified phishing as a high-priority risk. Instead of just “adding a control,” they documented their reasoning: “Risk of credential theft will be mitigated by implementing MFA, strengthening email filters, and mandatory staff training. Residual risk after treatment is acceptable.” That clear chain of thought satisfied both management and auditors.
The treatment plan isn’t just about controls—it’s about showing accountability for how risks are handled. Done well, it connects your risk assessment to real-world action.
ISO/IEC 27001 Clause 6.2 – Information Security Objectives and Planning
Clause 6.2 requires organizations to set information security objectives that guide the ISMS and prove leadership commitment. These objectives need to be aligned with business goals, measurable, and regularly reviewed.
Too often, I see objectives written as vague promises like “improve security.” That doesn’t satisfy auditors, and it doesn’t help employees know what to aim for. Objectives need to be SMART (Specific, Measurable, Achievable, Relevant, Time-bound).
Weak vs. Strong ISMS Objectives
| Weak Objective | Why It Fails | Stronger Alternative |
|---|---|---|
| “Improve cybersecurity.” | Too vague; no way to measure success. | “Reduce phishing-related incidents by 30% within 12 months through training and advanced email filtering.” |
| “Protect customer data.” | Broad statement, no timeframe or metric. | “Achieve 100% encryption of customer data in transit and at rest by Q4.” |
| “Enhance employee awareness.” | No measure of awareness or improvement. | “Ensure 95% of employees complete annual security awareness training with a passing score of 80% or higher.” |
Planning to Achieve Objectives
Once objectives are set, organizations need to plan:
-
What will be done – activities to reach the objective.
-
Resources required – budget, technology, staff.
-
Who is responsible – accountability assigned clearly.
-
Timeline – deadlines for completion.
-
Evaluation – how progress will be tracked and measured.
For example, one client set the objective of reducing phishing incidents. Their plan included: quarterly staff training, deploying a new email filter, assigning the IT security manager ownership, and tracking results monthly. When the auditor asked about progress, they had clear evidence tied back to their Clause 6.2 objectives.
Strong objectives turn Clause 6 from theory into action. They give employees focus, auditors confidence, and leadership measurable proof that the ISMS is working.
Summary of ISO/IEC 27001 Clause 6 – Risk Management & Planning
Clause 6 is where your ISMS becomes practical. It ensures that risks are identified, assessed, treated, and linked to measurable objectives. Done right, it keeps the ISMS focused on protecting what matters most while supporting business goals.
Key takeaways:
-
Clause 6.1 – Risk-based planning drives the ISMS.
-
Clause 6.1.2 – Risk assessments must be structured, consistent, and documented.
-
Clause 6.1.3 – Risk treatment must clearly link back to identified risks.
-
Clause 6.2 – Objectives should be SMART and supported by detailed plans.
FAQs on ISO/IEC 27001 Clause 6
| Question | Answer |
|---|---|
| How often should risk assessments be performed? | At least annually, but also after major changes (new systems, regulations, acquisitions, or significant threats). |
| Do ISMS objectives need to be quantitative? | They should always be measurable. This can be quantitative (e.g., % reduction in incidents) or qualitative (e.g., achieving defined maturity levels). |
| Can we use our existing enterprise risk management (ERM) framework? | Yes, as long as it meets ISO 27001 requirements: defined methodology, repeatability, and proper documentation of results. |
| What happens if we accept too many risks? | Auditors may question whether the ISMS is effective. Risk acceptance must be justified and aligned with defined risk criteria. |
Conclusion: Building a Strong ISMS with Clause 6
Clause 6 of ISO/IEC 27001 is where strategy meets action. It’s not enough to identify risks—you need to assess them systematically, decide how to treat them, and set clear objectives that drive improvement. Done well, Clause 6 ensures your ISMS is focused, measurable, and aligned with the business.
To recap:
-
Risk-based planning (6.1) keeps your ISMS grounded in reality.
-
Risk assessments (6.1.2) must be structured, repeatable, and documented.
-
Risk treatment plans (6.1.3) show how risks are handled, not just listed.
-
Information security objectives (6.2) provide measurable targets that prove the ISMS works.
In my experience, the organizations that succeed with ISO/IEC 27001 don’t treat Clause 6 as paperwork. They use it as a roadmap—one that connects leadership intent to operational reality. That’s what turns an ISMS from a compliance burden into a competitive advantage.
Next step: Review your current risk management process and ISMS objectives. Are they documented, measurable, and clearly linked to your business context? If not, this is the time to close the gap—before your next audit puts the spotlight on it.
Melissa Lavaro is a seasoned ISO consultant and an enthusiastic advocate for quality management standards. With a rich experience in conducting audits and providing consultancy services, Melissa specializes in helping organizations implement and adapt to ISO standards. Her passion for quality management is evident in her hands-on approach and deep understanding of the regulatory frameworks. Melissa’s expertise and energetic commitment make her a sought-after consultant, dedicated to elevating organizational compliance and performance through practical, insightful guidance.
Related Posts
ISO/IEC 17065 Training Course : Product, Process, and Service Certification
ISO 22716 2017 Online Training : Good Manufacturing Practices for Cosmetics
FSSC 22000 V6 Online Training – Boost Your Certification
