Clause 6.1.1 is often misunderstood and frequently overlooked. It requires organizations to assess risks and opportunities specifically related to the Information Security Management System (ISMS)—focusing not on information security itself, but on the ISMS’s effectiveness. This is distinct from the information security risk assessment activities outlined in 6.1.2 and 6.1.3, which require different methods and considerations.
In practice, it’s rare for organizations to assess ISMS-specific risks and opportunities (per 6.1.1), and certification auditors seldom address this requirement.
To clarify, it’s proposed that the information security risk assessment activities (6.1.2 and 6.1.3) be moved to clause 8. This aligns with the structure of other management system standards (e.g., ISO 22301 for Business Continuity Planning). Additionally, a note similar to ISO 22301’s should be included:
“Risks in this sub clause relate to information security, while risks and opportunities related to the effectiveness of the management system are addressed in 6.1.1.”
Need expert guidance? Book a free 30-minute consultation with a ISO27k expert.
ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability
The Risk Assessment Process and the tool that supports it
What is the significance of ISO 27001 certification for your business?
Pragmatic ISO 27001 Risk Assessments
ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability
ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k
How to Address AI Security Risks With ISO 27001
How to Conduct an ISO 27001 Internal Audit
4 Benefits of ISO 27001 Certification
How to Check If a Company Is ISO 27001 Certified
How to Implement ISO 27001: A 9-Step Guide
ISO 27001 Standard, Risk Assessment and Gap Assessment
ISO 27001 standards and training
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
