Exploit your ISMS

Most businesses do not operate in the information security arena. If yours does, then having an ISMS lends immense credibility to your service, as you are now leading by example. If you operate in the IT arena, there are controls that concern resilience and integrity which likewise are highly relevant to your products and services. However, there are many controls in ISO/IEC 27001, Annex A that are related to the ISO 9001 quality controls that concern understanding customer requirements and delivering a product or service that meets those requirements. So what if the requirement is not an information security requirement — the general processes of discovery, development, delivery, maintenance and change are the same, only differing in their suitability to the product or service in question. Nevertheless, of greater relevance to exploiting your ISMS are:

Book cover for An introduction to ISO/IEC 27001:2022 by David Brewer

By way of background, David Brewer’s book “An introduction to ISO/IEC 27001:2022”, explains the process of risk assessment and risk treatment, that we expand upon in this article. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

Simple application of risk treatment concept

A simple form of exploitation is just to apply the risk treatment concept of prevent–detect–react to risks other than information security risks. Record the risk and your treatment and then act on it. Whether you want to include it within scope of your ISMS is up to you, albeit it should remain outside of the scope of ISO/IEC 27001 certification.

Extending the processes of risk assessment and risk treatment

ISO/IEC 27001 requires you to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of your ISMS. It requires you to assess the realistic likelihood of the occurrence of those risks. It requires you to assess the potential consequences that would result if those risks were to materialise. It requires you to evaluate these risks by comparing the results of your risk analysis with your risk criteria; prioritising analysed risks for treatment; and treating those risks by determining all controls that are necessary to implement your chosen risk treatment options. The only information security specific content in these requirements is the reference to “…confidentiality, integrity and availability for information”.

A more formal extension to other risks can be made by augmenting these references to risks with other associations and consequences, e.g.:

[Here, we have used highlighting to show the relationship with the ISO/IEC 27001 phrases loss of confidentiality, integrity and availability and information.]

Such a formal extension of the processes of risk assessment and risk treatment is easier if you are using the events and consequences method (as advocated by ISO 31000 (and used in IMS-Smart On-Line)). This is because trying to determine assets, threats and vulnerabilities with these other types of risks, although possible, does not add any value to the process. The events associated with the first example can be simply phrased as:

Using the approach of constructing designer risk treatment plans determine controls to prevent, detect and react to your event. Of course, there is no Annex A to help, although guidance can be found in various ISO standard (e.g., the ISO 22300 series for business continuity, and the ISO 9000 series for quality).

Opportunity exploitation

“Every problem is an opportunity in disguise”, as once said John Adams, and this is just as true in risk management as in everyday life. The opportunities arise from risk treatment. There is a formal way to express opportunity exploitation plans, but for a simple application just ask yourself:

Adjust your risk treatment plan as necessary to maximise the likelihood of reward and execute.

Don’t forget the Deming Cycle

When applying these ideas — simple or formal extension to non-IS risks and opportunity exploitation — don’t forget the Deming Cycle: PLAN-DO-CHECK-ACT. Once you have determined and implemented your plan for managing non-IS risks, or opportunity exploitation, check that the plan is working, make adjustments as necessary and repeat. Just as an ISMS is a continuous cycle of improvements, so is any extension of an ISMS to assist you to manage and exploit non-IS risks.

How IMS-Smart can help

If you have any question about exploiting your ISMS, IMS-Smart On-Line, just or use the find facility above. We will be pleased to assist.





		Diligent risk management is a key business enabler
		HOME SERVICES Consultancy and training Productised IP-led IMS Service IMS-Smart On-Line Effective ISMS qualities Making the most of your ISMS BOOKS STANDARDS ISO/IEC 27001 ISMS Requirements Statement of Applicabiilty Risks and opportunities Risk treatment plans ISO/IEC 27002 Controls ISO/IEC 27004 Measurements ISO/IEC 27007 Auditing ISO/IEC 27014 Governance PHILOSOPHY Overview Architecture Time theory Opportunity exploitation Risk treatment Taxonomies Alternative ideas lists Effectiveness Continual improvement Auditing Implementation strategies CORPORATE About us IMS-Smart ISMS Customers Papers Enquiries Privacy policy IMS-Smart Suzuki motorcycle ≡
		The new build of IMS-Smart On-Line fully compatible with ISO/IEC 27001:2022 is now available

	Exploiting your ISMS Most businesses do not operate in the information security arena. If yours does, then having an ISMS lends immense credibility to your service, as you are now leading by example. If you operate in the IT arena, there are controls that concern resilience and integrity which likewise are highly relevant to your products and services. However, there are many controls in ISO/IEC 27001, Annex A that are related to the ISO 9001 quality controls that concern understanding customer requirements and delivering a product or service that meets those requirements. So what if the requirement is not an information security requirement — the general processes of discovery, development, delivery, maintenance and change are the same, only differing in their suitability to the product or service in question. Nevertheless, of greater relevance to exploiting your ISMS are: simply applying the risk treatment concepts to non-IS risks the ability to adapt the processes of risk assessment and risk treatment to address all the risks facing your organisation to determine and exploit the opportunities that arise from risk treatment. There is a new edition of the ISMS standard (ISO/IEC 27001:2022), and you are encouraged to start planning your transition now, if you already have an ISMS, or start using the new standard if not. Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered, as can measuring performance, optimising and showcasing your ISMS. By way of background, David Brewer’s book “An introduction to ISO/IEC 27001:2022”, explains the process of risk assessment and risk treatment, that we expand upon in this article. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25). Simple application of risk treatment concept A simple form of exploitation is just to apply the risk treatment concept of prevent–detect–react to risks other than information security risks. Record the risk and your treatment and then act on it. Whether you want to include it within scope of your ISMS is up to you, albeit it should remain outside of the scope of ISO/IEC 27001 certification. Extending the processes of risk assessment and risk treatment ISO/IEC 27001 requires you to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of your ISMS. It requires you to assess the realistic likelihood of the occurrence of those risks. It requires you to assess the potential consequences that would result if those risks were to materialise. It requires you to evaluate these risks by comparing the results of your risk analysis with your risk criteria; prioritising analysed risks for treatment; and treating those risks by determining all controls that are necessary to implement your chosen risk treatment options. The only information security specific content in these requirements is the reference to “…confidentiality, integrity and availability for information”. A more formal extension to other risks can be made by augmenting these references to risks with other associations and consequences, e.g.: risks associated with the loss of life or quality of life, unavailability of products and services, loss of revenue and unanticipated costs for disasters within scope of the management system risks associated with the the loss of revenue, unanticipated costs, and resource wastage for products and services within scope of the management system. [Here, we have used highlighting to show the relationship with the ISO/IEC 27001 phrases loss of confidentiality, integrity and availability and information.] Such a formal extension of the processes of risk assessment and risk treatment is easier if you are using the events and consequences method (as advocated by ISO 31000 (and used in IMS-Smart On-Line)). This is because trying to determine assets, threats and vulnerabilities with these other types of risks, although possible, does not add any value to the process. The events associated with the first example can be simply phrased as: Acts of God, vandals and terrorists. Those associated with the second example are the traditional quality events of: Supply of the wrong product Nonconforming product Bad customer experience. Using the approach of constructing designer risk treatment plans determine controls to prevent, detect and react to your event. Of course, there is no Annex A to help, although guidance can be found in various ISO standard (e.g., the ISO 22300 series for business continuity, and the ISO 9000 series for quality). Opportunity exploitation “Every problem is an opportunity in disguise”, as once said John Adams, and this is just as true in risk management as in everyday life. The opportunities arise from risk treatment. There is a formal way to express opportunity exploitation plans, but for a simple application just ask yourself: “does this risk treatment plan present an opportunity for furthering my business?” if so “how can I exploit it?” Adjust your risk treatment plan as necessary to maximise the likelihood of reward and execute. Don’t forget the Deming Cycle When applying these ideas — simple or formal extension to non-IS risks and opportunity exploitation — don’t forget the Deming Cycle: PLAN-DO-CHECK-ACT. Once you have determined and implemented your plan for managing non-IS risks, or opportunity exploitation, check that the plan is working, make adjustments as necessary and repeat. Just as an ISMS is a continuous cycle of improvements, so is any extension of an ISMS to assist you to manage and exploit non-IS risks. How IMS-Smart can help We can help in three ways: David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022, and explains the concepts underpinning designer risk treatment plans. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25). We also have some technology that can help you to create an ISMS with built-in support for creating custom designer risk treatment plans, as well as those needed for information security management, plus of the necessary PDCA features. Just because you already have an ISMS does not mean that you cannot take advantage of IMS-Smart On-Line. Think of it as upgrading to a brand new car, and take advantage of the ISO/IEC 27001 transition period to do it. We can train you. If you have any question about exploiting your ISMS, IMS-Smart On-Line, just or use the find facility above. We will be pleased to assist.





This site does not use cookies, but if you logon to an IMS-Smart product you consent to that site setting authentication session cookies
© IMS-Smart Limited, 2023
Page last updated: May 22, 2023

Logon to your IMS-Smart product
USER NAME
PASSWORD
Don’t have an IMS-Smart product? Learn more, register an evaluation copy, read the books.

Search the ims-smart.com website
SEARCH TEXT

Diligent risk management is a key business enabler

Simple application of risk treatment concept

Extending the processes of risk assessment and risk treatment

Opportunity exploitation

Don’t forget the Deming Cycle

How IMS-Smart can help