Diligent risk management is a key business enabler |
|||||
Exploiting your ISMS Most businesses do not operate in the information security arena. If yours does, then having an ISMS lends immense credibility to your service, as you are now leading by example. If you operate in the IT arena, there are controls that concern resilience and integrity which likewise are highly relevant to your products and services. However, there are many controls in ISO/IEC 27001, Annex A that are related to the ISO 9001 quality controls that concern understanding customer requirements and delivering a product or service that meets those requirements. So what if the requirement is not an information security requirement — the general processes of discovery, development, delivery, maintenance and change are the same, only differing in their suitability to the product or service in question. Nevertheless, of greater relevance to exploiting your ISMS are:
There is a new edition of the ISMS standard (ISO/IEC 27001:2022/Amd 1:2024), and you are encouraged to start planning your transition now, if you already have an ISMS, or start using the new standard if not. Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered, as can measuring performance, optimising and showcasing your ISMS.
Simple application of risk treatment conceptA simple form of exploitation is just to apply the risk treatment concept of prevent–detect–react to risks other than information security risks. Record the risk and your treatment and then act on it. Whether you want to include it within scope of your ISMS is up to you, albeit it should remain outside of the scope of ISO/IEC 27001 certification.
Extending the processes of risk assessment and risk treatmentISO/IEC 27001 requires you to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of your ISMS. It requires you to assess the realistic likelihood of the occurrence of those risks. It requires you to assess the potential consequences that would result if those risks were to materialise. It requires you to evaluate these risks by comparing the results of your risk analysis with your risk criteria; prioritising analysed risks for treatment; and treating those risks by determining all controls that are necessary to implement your chosen risk treatment options. The only information security specific content in these requirements is the reference to “…confidentiality, integrity and availability for information”. A more formal extension to other risks can be made by augmenting these references to risks with other associations and consequences, e.g.:
[Here, we have used highlighting to show the relationship with the ISO/IEC 27001 phrases loss of confidentiality, integrity and availability and information.] Such a formal extension of the processes of risk assessment and risk treatment is easier if you are using the events and consequences method (as advocated by ISO 31000 (and used in IMS-Smart On-Line)). This is because trying to determine assets, threats and vulnerabilities with these other types of risks, although possible, does not add any value to the process. The events associated with the first example can be simply phrased as:
Using the approach of constructing designer risk treatment plans determine controls to prevent, detect and react to your event. Of course, there is no Annex A to help, although guidance can be found in various ISO standard (e.g., the ISO 22300 series for business continuity, and the ISO 9000 series for quality). Opportunity exploitation“Every problem is an opportunity in disguise”, as once said John Adams, and this is just as true in risk management as in everyday life. The opportunities arise from risk treatment. There is a formal way to express opportunity exploitation plans, but for a simple application just ask yourself:
Adjust your risk treatment plan as necessary to maximise the likelihood of reward and execute. Don’t forget the Deming CycleWhen applying these ideas — simple or formal extension to non-IS risks and opportunity exploitation — don’t forget the Deming Cycle: PLAN-DO-CHECK-ACT. Once you have determined and implemented your plan for managing non-IS risks, or opportunity exploitation, check that the plan is working, make adjustments as necessary and repeat. Just as an ISMS is a continuous cycle of improvements, so is any extension of an ISMS to assist you to manage and exploit non-IS risks. How IMS-Smart can helpWe can help in three ways:
If you have any question about exploiting your ISMS, IMS-Smart On-Line, just or use the find facility above. We will be pleased to assist.
|
|||||
This site does not use cookies, but if you logon to an IMS-Smart product you consent to that site setting authentication session cookies |
|||||
© IMS-Smart Limited, 2023-24 | |||||
Page last updated: June 3, 2024 | |||||