Diligent risk management is a key business enabler

  
  Construct your ISMS with IMS-Smart On-Line … add on the new privacy standard and quality management for a comprehensive integrated management system
 

Exploiting your ISMS

Most businesses do not operate in the information security arena. If yours does, then having an ISMS lends immense credibility to your service, as you are now leading by example. If you operate in the IT arena, there are controls that concern resilience and integrity which likewise are highly relevant to your products and services. However, there are many controls in ISO/IEC 27001, Annex A that are related to the ISO 9001 quality controls that concern understanding customer requirements and delivering a product or service that meets those requirements. So what if the requirement is not an information security requirement — the general processes of discovery, development, delivery, maintenance and change are the same, only differing in their suitability to the product or service in question. Nevertheless, of greater relevance to exploiting your ISMS are:

  • simply applying the risk treatment concepts to non-IS risks
  • the ability to adapt the processes of risk assessment and risk treatment to address all the risks facing your organisation
  • to determine and exploit the opportunities that arise from risk treatment.

There is a new edition of the ISMS standard (ISO/IEC 27001:2022/Amd 1:2024), and you are encouraged to start planning your transition now, if you already have an ISMS, or start using the new standard if not. Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered, as can measuring performance, optimising and showcasing your ISMS.

Book cover for An introduction to ISO/IEC 27001:2022/Amd 1:2024 by David Brewer

By way of background, David Brewer’s book “An introduction to ISO/IEC 27001:2022/Amd 1:2024”, explains the process of risk assessment and risk treatment, that we expand upon in this article. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

Simple application of risk treatment concept

A simple form of exploitation is just to apply the risk treatment concept of prevent–detect–react to risks other than information security risks. Record the risk and your treatment and then act on it. Whether you want to include it within scope of your ISMS is up to you, albeit it should remain outside of the scope of ISO/IEC 27001 certification.

 

Extending the processes of risk assessment and risk treatment

ISO/IEC 27001 requires you to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of your ISMS. It requires you to assess the realistic likelihood of the occurrence of those risks. It requires you to assess the potential consequences that would result if those risks were to materialise. It requires you to evaluate these risks by comparing the results of your risk analysis with your risk criteria; prioritising analysed risks for treatment; and treating those risks by determining all controls that are necessary to implement your chosen risk treatment options. The only information security specific content in these requirements is the reference to “…confidentiality, integrity and availability for information”.

A more formal extension to other risks can be made by augmenting these references to risks with other associations and consequences, e.g.:

  • risks associated with the loss of life or quality of life, unavailability of products and services, loss of revenue and unanticipated costs for disasters within scope of the management system
  • risks associated with the the loss of revenue, unanticipated costs, and resource wastage for products and services within scope of the management system.

[Here, we have used highlighting to show the relationship with the ISO/IEC 27001 phrases loss of confidentiality, integrity and availability and information.]

Such a formal extension of the processes of risk assessment and risk treatment is easier if you are using the events and consequences method (as advocated by ISO 31000 (and used in IMS-Smart On-Line)). This is because trying to determine assets, threats and vulnerabilities with these other types of risks, although possible, does not add any value to the process. The events associated with the first example can be simply phrased as:

  • Acts of God, vandals and terrorists.
Those associated with the second example are the traditional quality events of:
  • Supply of the wrong product
  • Nonconforming product
  • Bad customer experience.

Using the approach of constructing designer risk treatment plans determine controls to prevent, detect and react to your event. Of course, there is no Annex A to help, although guidance can be found in various ISO standard (e.g., the ISO 22300 series for business continuity, and the ISO 9000 series for quality).

Opportunity exploitation

“Every problem is an opportunity in disguise”, as once said John Adams, and this is just as true in risk management as in everyday life. The opportunities arise from risk treatment. There is a formal way to express opportunity exploitation plans, but for a simple application just ask yourself:

  • “does this risk treatment plan present an opportunity for furthering my business?”
  • if so “how can I exploit it?”

Adjust your risk treatment plan as necessary to maximise the likelihood of reward and execute.

Don’t forget the Deming Cycle

When applying these ideas — simple or formal extension to non-IS risks and opportunity exploitation — don’t forget the Deming Cycle: PLAN-DO-CHECK-ACT. Once you have determined and implemented your plan for managing non-IS risks, or opportunity exploitation, check that the plan is working, make adjustments as necessary and repeat. Just as an ISMS is a continuous cycle of improvements, so is any extension of an ISMS to assist you to manage and exploit non-IS risks.

How IMS-Smart can help

We can help in three ways:

  • David Brewer’s book “An introduction to ISO/IEC 27001:2022/Amd 1:2024”, gives a detailed explanation of the whole of ISO/IEC 27001:2022/Amd 1:2024, and explains the concepts underpinning designer risk treatment plans. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).
  • We also have some technology that can help you to create an ISMS with built-in support for creating custom designer risk treatment plans, as well as those needed for information security management, plus of the necessary PDCA features. Just because you already have an ISMS does not mean that you cannot take advantage of IMS-Smart On-Line. Think of it as upgrading to a brand new car, and take advantage of the ISO/IEC 27001 transition period to do it.
  • We can train you.

If you have any question about exploiting your ISMS, IMS-Smart On-Line, just or use the find facility above. We will be pleased to assist.