Part 17: Clause 6.1 Actions to address Risks and Opportunities
The ISO 27001 standard is built on a foundation of managing risks and opportunities. Right there on page 1 of the standard, right in the introduction, it states:
The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
In other words, to give your clients the confidence that you are managing your information security well, you need to demonstrate that you have robust systems for managing risks and opportunities.
Make sure you spend time getting it right though!
You’re going to have to apply a lot of thought and foresight. The best way to make this happen is to spend time getting with your people to devise a system that works well for your business.
A great place to start is to study ISO 31000. This standard “ISO 31000:2018, Risk management – Guidelines” provides you with the principles, the framework and the process for managing risk. Jump onto the www.ISO.org store and grab a copy. At USD90 it’s a bargain because it gives you all that you need to get started on your risk management journey. This version has just been released (2018) and has best practice written right through it.
The risk process that it describes is straight forward. At a high level it is:
- Define the scope, content and the risk criteria
- Ensure that staff are involved and participate.
- Conduct the risk assessment:
- Risk identification
- Risk Analysis
- Risk Evaluation.
- Determine the risk treatments.
- Monitor and continuously review progress.
- Make sure that it’s easy to record and report risks and opportunities.
Here at Mango we were fortunate that we had our risk management system was already in place. We had developed one when we created our quality management system. See how we did it in this blog.
So using those same fundamentals we created a risk process for information security that used a risk criteria based on likelihood and consequences. This helped create a list of risks based on priority. The higher the likelihood and the higher the consequences, the higher the priority for that risk.
Our opportunities were listed in our improvement module. These opportunities were then reported through our corrective and preventive action process.
You will find that the risk treatments are straight forward. This is because the ISO 27001 standard helps you greatly with this. Annex A of the standard lists the controls for you. There are 114 controls listed. How easy is that! The authors of this standard had great foresight to create that list just for you. All you have to do is just flesh out some more detail for each control.
So, using Mango, we listed the risks in the Risk Management module and linked the controls to any necessary documented policy or procedure. We then created an Information Security Risk Register. Our risk register has about 60 listed risks with applicable controls (risk treatments). This register will be annually reviewed and audited.
This register provides a foundation for the rest of the information security management system. It summarises a bunch of ISO 27001 clauses in one document. Now all you need is the implement and maintain it. Job done!
And there you have it. ISO 31000 gives you both the fundamentals and the process of a great risk management system, and ISO 27001 Annex A gives you the controls you need.
Don’t over think it. But work hard to get it right.
Here is a list of takeaways that will help you achieve this clause:
- Grab a copy of ISO 31000 and study it hard.
- Create a risk process using that standard.
- Put your opportunities into your improvement process.
- Create an easy-to-use risk criteria.
- List your risks and apply the risk criteria.
- Use ISO 27001 Annex A to help determine the risk treatments.
- Re-evaluate risks and opportunities on a regular basis.
View previous blogs in this series "ISO 27001 Information Security Management Standard":