Clause 6 - Planning

Planning: This clause requires organisations to establish a process for identifying and assessing information security risks, and to develop and implement a risk treatment plan to mitigate those risks. It also requires organisations to establish objectives for information security and to plan how they will achieve those objectives.