 | |
| Managing risks with ISO 27000 plugs into ISO 31000 standards |
Contrary to the popular belief that ISO 31000 is now mandatory for ISO 27001 implementation, this is not true. However, ISO 31000 could be quite useful for ISO 27001 implementation – it not only offers a couple of good guidelines, but it also gives a strategic context for managing (information security) risks. But, let’s go through the basics first…
What is ISO 31000? ISO 31000 provides guidelines on how to organise risk management in organisations – the standard is not focused solely on information security risks; it can be used for any type of risks including business continuity, market, currency, credit, operational, and others.
Download Also:
It provides a detailed glossary of risk management terms, explains basic principles of risk management, and provides a general framework including a PDCA cycle (planning, implementing, monitoring and improving – Plan/Do/Check/Act) for risk management. However, being applicable to any type of organisation and to any type of risk, it does not provide a specific methodology for, e.g., information security risk management.
SCOPE OF ISO 31000 ISO 31000 is an international risk management standard. It can be used by any organization no matter what size it is or what it does. It can be used by both public and private organizations and by groups, associations, and enterprises of all kinds. It is not specific to any sector or industry and can be applied to any type of risk. ISO 31000 can be applied to the achievement of any and all types of objectives at all levels and areas within an organization.
It can be used at a strategic or organizational level to help make decisions and can be applied to all types of activities. It can be used to help manage processes, operations, functions, projects, programs, products, services, and assets. However, exactly how you apply ISO 31000 is up to you and will depend on your organization’s needs, objectives, and challenges, and should reflect what it does and how it operates.
WHY USE ISO 31000?
When properly implemented and applied,
ISO 31000 will help you to:
- Increase the likelihood that objectives will be achieved.
- Improve your ability to identify threats and opportunities.
- Establish a sound basis for planning and decision-making.
- Help you allocate and use risk treatment resources.
- Improve the overall resilience of your organization.
- Improve operational efficiency and effectiveness.
- Encourage personnel to identify and treat risk.
- Help minimize your organization’s losses.
- Improve your risk management controls.
- Comply with legal and regulatory requirements.
- Enhance your approach to environmental protection.
- Improve the effectiveness of your governance activities.
- Enhance your organization’s health and safety performance.
- Improve loss prevention and incident management activities.
- Encourage and support continuous organizational learning.
- Improve the trust and confidence of your stakeholders.
- Enhance both mandatory and voluntary reporting.
-Comply with international norms and standards.
What is ISO 27001?
The ISO27k standards are deliberately risk-aligned, meaning that organizations are encouraged to assess the security risks to their information (called “information security risks” in the standards, but in reality they are simply information risks) as a prelude to treating them in various ways. Dealing with the highest risks first makes sense from the practical implementation and management perspectives.
In today’s information economy, the development, exploitation and protection of information assets are key to the long-term competitiveness and survival of corporations and entire economies. The protection of information assets – information security – is therefore overtaking physical asset protection as a fundamental corporate governance responsibility. Information security management, defined as ‘the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities’, ¹ is becoming a critical corporate discipline, alongside marketing, sales, HR and financial management.
ISO 27001 is a standard that describes how a company should organize its information security – it is based on risk management principles, meaning that a company should select safeguards (security controls) only if there are unacceptable risks that need to be treated. So, in effect, you can consider information security to be part of managing the risks in your company as displayed below: ISO 27001 and ISO 27002 The ISO 27000 series of standards are a compilation of international standards all related to information security. The difference is that the ISO 27001 standard has an organizational focus and details requirements against which an organization’s Information Security Management System (ISMS) can be audited.
ISO 27002 on the other hand is more focused on the individual and provides a code of practice for use by individuals within an organization. If you compare them you will see that they're structured similarly and that they map to each other. The difference is in the level of detail; ISO 27002 explains one control on one whole page, while ISO 27001 dedicates only one sentence to each control. ISO 27002 provides best practice recommendations on information security management for use by those who are responsible for implementing or maintaining the Information Security Management Systems (ISMS). Whereas ISO 27001 defines the audit requirements.
The standard doesn't specify, recommend or even name any specific risk management method. It does, however, imply a continual process consisting of a structured sequence of activities, some of which are iterative:
- Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite)
- Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’
- Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them
- Keep stakeholders informed throughout the process; and
- Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.
Series of ISO 27000
Related Topics:
The Author: Ala'a Elbeheri
About:
A versatile and highly accomplished senior certified IT risk management Advisor and Senior IT Lead Auditor with over 20 years of progressive experience in all domains of ICT.
• Program and portfolio management, complex project management, and service delivery, and client relationship management.
• Capable of providing invaluable information while making key strategic decisions and spearheading customer-centric projects in IT/ICT in diverse sectors.
• Displays strong business and commercial acumen and delivers cost-effective solutions contributing to financial and operational business growth in international working environments.
• Fluent in oral and written English, German, and Arabic with an Professional knowledge of French.
• Energetic and dynamic relishes challenges and demonstrates in-depth analytical and strategic ability to facilitate operational and procedural planning.
• Fully conversant with industry standards, with a consistent track record in delivering cost-effective strategic solutions.
• Strong people skills, with proven ability to build successful, cohesive teams and interact well with individuals across all levels of the business. Committed to promoting the ongoing development of IT skills throughout an organization
Post a Comment