ISO 27001 Clause 6.1 Actions to address risks and opportunities
Actions to address risks and opportunities
Overview
ISO/IEC 27001:2013 cares with the design of actions to deal with all kinds of risks and opportunities that are relevant to the ISMS. This includes risk assessment and planning for risk treatment.
The structure of ISO/IEC 27001 subdivides risks into two categories during planning:
- Risks and opportunities relevant to the intended outcome(s) of the ISMS as a whole;
- Information security risks that relate to the loss of confidentiality, integrity and availability of data within the scope of the ISMS.
The first category should be handled in accordance with requirements laid out in ISO/IEC 27001:2013 (general). Risks that fall under this category are often risks concerning the ISMS itself, the ISMS scope definition, top management’s commitment to information security, resources for operating the ISMS, etc. Opportunities that fall under this category are often opportunities concerning the outcome(s) of the ISMS, the commercial value of an ISMS, the efficiency of operating ISMS processes and knowledge security controls, etc.
The second category consists of all risks that directly relate to the loss of confidentiality, integrity and availability of data within the scope of the ISMS. These risks should be handled in accordance with (information security risk assessment) and (information security risk treatment). Organizations may prefer to use different techniques for every category.
The subdivision of requirements for addressing risks are often explained as follows:
- It encourages compatibility with other management systems standards for those organizations that have integrated management systems for various aspects like quality, environment and knowledge security;
- It requires that the organization defines and applies complete and detailed processes for information security risk assessment and treatment;
- It emphasizes that information security risk management is that the core element of an ISMS. ISO/IEC 27001:2013 uses the expressions ‘determine the risks and opportunities’ and ‘address these risks and opportunities. The word “determine” are often considered to be like the word “assess” utilized in ISO/IEC 27001:2013 (i.e. identify, analyze and evaluate). Similarly, the word “address” are often considered like the word “treat” utilized in ISO/IEC 27001:2013.
When planning for the ISMS, the organization determines the risks and opportunities considering issues mentioned in understanding the organization and its context and requirements mentioned in understanding the needs and expectations of interested parties.
Implementation Guideline
For risks and opportunities relevant to the intended outcome(s) of the ISMS, the organization determines them supported internal and external issues and requirements from interested parties.
Then the organization plans its ISMS to:
- Make sure that intended outcomes are delivered by the ISMS, e.g. that the knowledge security risks are known to the danger owners and treated to a suitable level;
- Prevent or reduce undesired effects of risks relevant to the intended outcome(s) of the ISMS;
- Achieve continual improvement, e.g. through appropriate mechanisms to detect and proper weaknesses within the management processes or taking opportunities for improving information security. Risks connected to a) above might be unclear processes and responsibilities, poor awareness among employees, poor engagement from management, etc. Risks connected to b) above might be poor risk management or poor awareness of risks. Risks connected to c) above might be poor management of the ISMS documentation and processes.
When a corporation pursues opportunities in its activities, these activities then affect the context of the organization (ISO/IEC 27001:2013) or the requirements and expectations of interested parties (ISO/IEC 27001:2013), may change the risks to the organization.
Click here for continue:- https://www.info-savvy.com/iso-27001-clause-6-1-actions-to-address-risks-and-opportunities/
------------------------------------------------------------------------------------------------------------
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
Comments
Post a Comment