6.1 Actions to address risks and opportunities to the ISMS

Richard Regalado

Richard Regalado

Trusted Information Resource
6.1 Actions to address risks and opportunities
Click to expand...
6.1.1 General
When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

a) ensure the information security management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects; and
c) achieve continual improvement.

The organization shall plan:
d) actions to address these risks and opportunities; and
e) how to
1) integrate and implement the actions into its information security management system processes; and
2) evaluate the effectiveness of these actions.
Click to expand...

I have seen many organizations include opportunities in their information security risk registers. That is not necessary, of course. The requirement in 6.1 is the determination of the risks and opportunities to the ISMS. This is different from the information security risks required in 6.1.2.c.

How do I address then the requirement of 6.1? I use a simple table below:

6.1 Actions to address risks and opportunities to the ISMS


How do you address the requirements of 6.1? Looking forward to your reactions and shares!
 
You must log in or register to reply here.

Similar threads

Richard Regalado
Two risk assessments for ISMS
Replies
0
Views
584
Richard Regalado
Richard Regalado
F
Confused about Non conformace from internal audit
2 3
Replies
22
Views
1K
qualitymanagerTT
Q
S
FDA Cybersecurity risk assessment
Replies
2
Views
505
summer
S
J
Audit finding for challenge parts
2
Replies
10
Views
288
Johnnymo62
Johnnymo62
Richard Regalado
Informational ISO/IEC 27001:2022 has been published
Replies
0
Views
899
Richard Regalado
Richard Regalado
Top Bottom