The international standard for information security, ISO 27001, was an early adopter of the risk-based approach to management systems. Since then, influenced by Annex SL, all modern management systems include risks and opportunities in clause 6.
But why is risk so important in ISO 27001 and what does it mean?
All ISO Management System standards promote the principle of ‘continual improvement’ and arguably the risk management process is the best example of that in action.
By performing a detailed risk assessment, an organisation can understand it’s current risk exposure and make decisions about how to improve their stance.
As a requirement of ISO 27001, the organisation will define ‘risk acceptance criteria’, which in itself recognises that some level of risk will always be present and organisations should seek to continually improve their position.
Prioritise Mitigating Actions
Taking a risk-based approach helps organisation prioritise their resources in to mitigating the risks which cause most disruption to the business, either by bein most likely to occur and/or having a severe impact on operations.
This helps to break down the workload into manageable chunks, and allows organisations to achieve ISO 27001 certification while they still have some risks present.
The risk management process can be used to produce quantifiable information about the company’s exposure and the effectiveness of its current controls.
This information can be analysed and presented in a format suitable for all levels of the organisation, helping to establish a company wide programme while ensuring top management remains informed.
Risk Methodology and ISO 31000
While the standard does not provide a risk methodology to use, it does reference ISO 31000, which defines a set of risk management principles.
Assent’s ISO 27001 Consultants can help you develop a risk methodology that is suitable for your organisation and incorporates the recognised principles of ISO 31000.
Contact us to find out how we can help.