### 6.1.1 General

When planning for the information security management system, the organization shall consider the issues referred to in [4.1](c-4.1-Understanding-the-organization-and-its-context.md) and the requirements referred to in [4.2](ISO_27001_2022_OT%204.2%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties.md) and determine the risks and opportunities that need to be addressed to:

a\) ensure the information security management system can achieve its intended outcome(s);

b\) prevent, or reduce, undesired effects;

c\) achieve continual improvement.

The organization shall plan:

d\) actions to address these risks and opportunities; and

e\) how to
	1\) integrate and implement the actions into its information security management system processes; and
	2\) evaluate the effectiveness of these actions.