Risk Management with ISO 27001

Risk Management with ISO 27001

Risk Management with ISO 27001

ISO 27001 is the set of requirements for developing an information security management system. This is the standard that an organization will need to adhere to in order to receive ISO 27001 certification. This standard has several key components that are required in order to achieve compliance. Of particular interest for this discussion are requirement for security policy and the requirement for a documented procedure for the assessment and treatment of risk.

Regulatory Compliance and Risk Management

Regardless of which regulatory standard you are dealing with, ISO 27001 gives a baseline paradigm. Compliance with or certification in ISO 27001 will give you strong IT-related controls that will also help satisfy the requirements of many regulatory standards. The depth to which ISO 27001 can help you in achieving compliance to other regulatory standards is dependent upon which controls you select and how you implement those controls.

One of the strongest values ISO 27001 brings is its agnostic approach. There are absolutely no requirements in ISO 27001 for any specified technology. In fact, compliance to the standard can be theoretically achieved without even owning a computer. What is required by the standard is the selection of IT-related controls and an implementation of these controls in a way that provides strength to them. This is how the standard ties so tightly into the risk management arena.

The following are three key excerpts from the standard dealing with the management of risk:

1. Organizations are required to define and document their risk assessment approach [4.2.1c].

2. "The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results." [4.2.1c]

3. Risk assessments are to be regularly reviewed at planned intervals [4.2.3d].

In addition to the above, the standard also requires that when selecting controls, there must be a demonstrated relationship between the selected controls to the results of the risk assessment and risk treatment process: "Control objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. This selection shall take account of the criteria for accepting risks as well as legal, regulatory and contractual requirements." [4.2.1g]

The standard also covers the acceptable options for the treatment of risk. These options include risk avoidance, risk acceptance, risk mitigation (through application of controls) and risk transference.

The Information Security Management System

As mentioned previously, the ISO 27001 standard is the set of requirements for developing an Information Security Management System (ISMS). The assessment, management and treatment of risk are intertwined throughout the whole process.

The ISMS is based on the PDCA model: Plan, Do, Check and Act. Simply, it is a living, cyclical process that must be followed to ensure that the ISMS.

For more information please visit:http://www.qgspl.com/ISO_27001_2005.html

POST COMMENT

6 Queries In Rental Property Management Debt Management Solutions - Easy Ways To Overcome Debts Debt Management Help - What is the Difference Between Secured Debt and Unsecured Debt? Debt Management Services – A Legitimate Solution For Debt Relief Debt Management and Debt Settlement – What's Best For You? Debt Management Relief – Tips To Realistically Get Out Of Debt Bad Credit Debt Consolidation Loans – Debt Management Tips Debt Management Credit Counseling – Tips For Debt Relief Debt Management: Urgent for the Persons in Multiple Loans Reap The Benefits From Wealth Management The Modern Trend Of Corporate Reputation Management The Seo Tool For Reputation Management Investment Banking Services To Simplify Wealth Management