Navigating ISO 27001

ISO 27001 Clause 6.1: Actions to address risks and opportunities

ISO 27001 made easy: A comprehensive guide to understanding the standard 

Get your free guide


Get your free guide

ISO 27001 is an international standard that specifies requirements for an information security management system (ISMS). An ISMS is a set of policies and procedures that are designed to protect an organisation's information assets.

Clause 6.1 of ISO 27001 is titled "Actions to address risks and opportunities". This clause requires organisations to plan how they will identify, assess, and treat risks and opportunities to their information security.


ISO 27001 Clause 6.1. Planning General

When planning for the information security management system, the organisation shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

  • Ensure the information security management system can achieve its intended outcome(s);
  • Prevent or reduce, undesired effects
  • Achieve continual improvement.

The organisation shall plan:

  • Actions to address these risks and opportunities; and
  • How to
    • Integrate and implement these actions into its information security management system processes; and
    • Evaluate the effectiveness of these actions.

What is the 6.1 clause of ISO 27001?

The 6.1 clause of ISO 27001 is one of the most important clauses in the standard. It requires organisations to:

  • Identify the risks and opportunities to their information security.

  • Assess the likelihood and impact of these risks and opportunities.

  • Treat the risks and opportunities in a way that is proportionate to the risks involved.

  • Monitor and review the effectiveness of their risk management processes.

Read Conducting ISO 27001 risk assessment in 7 steps for more information.


What does ISO 27001 requirement 6.1 cover?

ISO 27001 requirement 6.1 covers the following topics:

  • The need to plan for the identification, assessment, and treatment of risks and opportunities to information security.

  • The need to consider the organisation's context and the needs and expectations of interested parties when planning for risk management.

  • The need to establish and maintain a risk management process that is appropriate to the organisation's size, complexity, and nature of its activities.

  • The need to document the risk management process and the results of risk assessments.

  • The need to review and update the risk management process on a regular basis.

DataGuard helped us get ISO 27001 certified 50%.

Reece Couchman
CEO & founder at The SaaSy People

100% first-try pass rate in external audits on ISO 27001 

Book a demo

How to identify, assess and treat information security risks

Although not necessarily common practice — scenario-based risk identification and assessment is one of the most effective and well-established ways to manage risks. Not only does it consider past occurrences, but it also takes a preventive approach to risk management. This is a more holistic approach that covers all potential scenarios.

Step 1: Identify and assess risks

Step 2: Create a treatment plan

Step 3: Review residual risks 


By following the steps outlined above, organisations can effectively identify, assess, and treat information security risks. This will help to protect their information assets and ensure the confidentiality, integrity, and availability of their information.

Get ready for the ISO 27001 audit with up to 75% less workload.

100% first-try pass rate in external audits on ISO 27001 

Book a demo
DG Seal ISO 27001


How do you assess the likelihood and impact of a risk?

The likelihood of a risk is the chance that it will occur. The impact of a risk is the consequence of it occurring. To assess the likelihood and impact of a risk, you can use a risk assessment matrix.

What are the different ways to treat information security risks?

There are a number of ways to treat information security risks, such as:

  1. Avoiding the risk.
  2. Transferring the risk to another party.
  3. Reducing the likelihood of the risk.
  4. Reducing the impact of the risk.

How do you monitor and review the effectiveness of risk management?

Organisations need to monitor and review their risk management processes on a regular basis to ensure that they are effective in managing the risks to their information security. This includes:

  • Monitoring the results of risk assessments to ensure that they are still accurate.
  • Reviewing the effectiveness of the controls that have been implemented to treat risks.
  • Identifying new risks that may have arisen.

What are the benefits of implementing an effective risk management process?

There are many benefits to implementing an effective risk management process, such as:

  • Improved information security.
  • Reduced risk of data breaches and other incidents.
  • Increased compliance with regulations.
  • Improved efficiency and effectiveness of operations.
  • Reduced costs.

Save Money with ISO 27001

up to 50%

Cheaper than external consultants


up to 300%

Increase your opt-in rate with Consent & Preference Management

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate


First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

Saves up to 100 hours

of manual work to get ISO 27001 certified or TISAX® labels

ISO 27001 Certification creates trust

Customers trust us

Get in touch




External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts



Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit



Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.