ISO 27001 Clause 6.1 Actions to address risks and opportunities
Actions to address risks and opportunities Overview ISO/IEC 27001:2013 cares with the design of actions to deal with all kinds of risks and opportunities that are relevant to the ISMS. This includes risk assessment and planning for risk treatment. The structure of ISO/IEC 27001 subdivides risks into two categories during planning: Risks and opportunities relevant to the intended outcome(s) of the ISMS as a whole; Information security risks that relate to the loss of confidentiality, integrity and availability of data within the scope of the ISMS. The first category should be handled in accordance with requirements laid out in ISO/IEC 27001:2013 (general). Risks that fall under this category are often risks concerning the ISMS itself, the ISMS scope definition, top management’s commitment to information security, resources for operating the ISMS, etc. Opportunities that fall under this category are often opportunities concerning the outcome(s) of the ISMS, ...