Clause 6 of ISO 27001 is about planning. In the first part of this series, we looked at clause 6.1 and the requirement to address risks and opportunities. In the second part, we looked at clause 6.2 and the requirement to establish information security objectives and plan how to achieve them. Now we come to clause 6.3, planning of changes.

In the first part of this Chapter 6 series, we looked at clause 6.1 and the way ISO/IEC 27001 requires an organization to address risks and opportunities through structured planning. That planning begins with the risks and opportunities that can affect the Information Security Management System, but it does not stop there. The organization must also define and apply an information security risk assessment process and determine how information security risks will be treated. In practical terms, clause 6.1 helps the organization understand what could go wrong, what needs to be protected, which risks require treatment, and which actions are needed to bring those risks within acceptable limits. Clause 6.2 builds on that foundation by asking the organization to express the direction created by risk-based planning in a more concrete manner. Risk assessment and risk treatment tell the organization what matters, what needs attention, and what must be addressed, but they do not, by themselves, define what success should look like. An organization can identify serious risks, assign owners, select controls, and still fall short if it never translates those decisions into clear objectives. This is the gap that clause 6.2 closes. It turns risk-based planning into something operational, measurable, and manageable over time, making this part of Chapter 6 the point where planning becomes more visible in day-to-day management. 

The ISO/IEC 27000 series is a broad collection of standards related to information security, cybersecurity, and privacy protection. Together, these standards help organizations establish, implement, maintain, and improve an Information Security Management System, or ISMS.
For many people, ISO/IEC 27001, also known as ISO 27001, is the best-known standard in the series because it is the one used for certification. However, ISO/IEC 27001 is only one part of a much larger structure. The ISO 27000 series also includes standards on information security controls, implementation guidance, risk management, auditing, governance, cloud security, privacy, digital evidence, network security, supplier relationships, and many other related subjects. 

If an Information Security Management System is built on the wrong assumptions, everything that follows becomes weaker. Risks get misjudged, controls end up in the wrong places, and decisions about scope start to feel arbitrary. That is why Chapter 4 carries so much weight. Before you can do anything else in ISO 27001, you need to understand the environment your ISMS is going to operate in, who has a stake in it, what it actually covers, and how the management system itself is structured. Clauses 4.1 through 4.4 walk you through each of those steps.  

Many organizations reach a point where they decide that information security needs to be taken more seriously. They invest in endpoint protection, tighten password requirements, deliver awareness training, and sometimes bring in an external consultant to review the environment. From a distance, this can look like genuine progress. Management sees visible activity, the IT team sees concrete improvements, and the organization begins to feel more secure. Yet that sense of readiness can prove misleading when a real disruption occurs. If a key supplier suddenly fails, if an important service becomes unavailable, or if an incident forces difficult business decisions, the underlying weakness is often exposed very quickly. Questions arise that should already have been answered like, who was responsible for preventing the disruption?  How will it affect our business priorities and obligations? How much will it cost in terms of man-power and money to resolve? In many case the problem was not a lack of effort, but rather that effort was mistaken for planning. What appeared to be preparedness was in fact a collection of disconnected measures made without a clearly structured direction. 

Clause 5 places leadership at the centre of the Information Security Management System. It requires top management to do more than approve documents. They must actively direct, support, and sustain the system so that information security becomes part of how the organization is managed in practice. ISO 27001 presents Clause 5 as three connected areas: leadership and commitment, policy, and organizational roles, responsibilities, and authorities. 

What does a leaked customer database, a tampered financial record, and a system that goes dark at the worst possible moment have in common? 

Information security is full of terms that are often used separately, yet in practice they are closely connected. Assets, vulnerabilities, threats, risks, and controls do not exist in isolation. They influence one another continuously, and understanding those relationships is one of the clearest ways to understand how information security actually works in the real world. ISO/IEC 27000 defines information security as the preservation of confidentiality, integrity, and availability of information, while ISO/IEC 27001 requires organizations to establish, implement, maintain, and continually improve an Information Security Management System, or ISMS, including the processes needed for risk assessment and risk treatment. ISO/IEC 27002 complements this by providing a reference set of controls and implementation guidance for information security risk treatment. 

Information security did not begin with ISO 27001, and the ISO 27000 series did not appear all at once. What many organizations now take for granted as the leading international framework for managing information security was built gradually, over decades, in response to real business needs, rising digital dependence, and a growing awareness that information risk could no longer be managed in an informal way. 

ISO 27001 has become the default reference point when an organisation wants to show it takes information security seriously, not just through technical controls, but through a management system that can be governed, measured, audited, and improved over time. If you have ever been asked by a customer to “prove your security”, if you have ever struggled to prioritise security work, or if you have ever inherited a pile of security policies that nobody follows, you have already met the problem that ISO 27001 is designed to solve. 

When it comes to information security, most organisations do not start with nothing. They generally already have certain controls that help them to mitigate against security issues. They probably have antivirus or antimalware systems, backup, and firewalls. Some organisations may even have access review processes, or security awareness training, or even an incident response plans. The problem is rarely, if ever, that controls do not exist at all. The problem is that organisations often cannot reliably explain what it is they are trying to protect, why certain measures have been chosen while other have not, nor can they determine the effectiveness of these measures over the course of time and changes.

If you are a security practitioner, you probably already do information security work every day, even if you do not call it that. If you are an information security implementer, you are likely trying to make that everyday work repeatable and sustainable. Either way, information security is not a product you buy, and it is not just a piece of technology. It is a discipline that protects what matters to the organization, so it can keep operating, meet its own commitments, and maintain trust in an increasingly competitive environment. ISO-27000 defines information security as the preservation of confidentiality, integrity, and availability of information. It also notes that other properties, such as authenticity, accountability, non-repudiation, and reliability can be involved. ISO-27001 then takes that concept and turns it into a management system that applies a risk management process, gives confidence to interested parties, and is integrated into the organization’s processes and management structure. The goal of this post is to explain what information security is, what it is not, and how to think about it in a way that stays useful when you decide to start building your organization’s Information Security Management System (ISMS).