6.1 Actions to address risks and opportunities to the ISMS

Richard Regalado

Trusted Information Resource
6.1 Actions to address risks and opportunities
6.1.1 General
When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

a) ensure the information security management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects; and
c) achieve continual improvement.

The organization shall plan:
d) actions to address these risks and opportunities; and
e) how to
1) integrate and implement the actions into its information security management system processes; and
2) evaluate the effectiveness of these actions.

I have seen many organizations include opportunities in their information security risk registers. That is not necessary, of course. The requirement in 6.1 is the determination of the risks and opportunities to the ISMS. This is different from the information security risks required in 6.1.2.c.

How do I address then the requirement of 6.1? I use a simple table below:

6.1 Actions to address risks and opportunities to the ISMS

How do you address the requirements of 6.1? Looking forward to your reactions and shares!
Top Bottom