Risk Register, Risk Analysis and Risk Response/Treatment

Hi All,
Background:
I am implementing ISO 27K for my company. We are ISO 9001 and ISO 20000 certified along with CMMI Level 2. We are a small IT consulting company with less than 100 employees.

Current status:
I have created a Risk Register and done Risk Analysis. Then I have created a Risk Treatment Plan.

During internal review, I was asked why we need to create a separate Risk Register instead of updating the existing Risk Register creted for other ISO certifications. It is understood, different risks and scope issues. But, I was asked why not expand the current Risk Rregister itself. Also, I was asked, why we need Risk Analysis and Risk Treatment Plan?. Why not that info is also included in the Risk Register?. Just add required columns and have everything in one document. I have a detailed Risk Register, with all the asset classes and the Risks, detailed Risk Analysis and also very detailed Risk Treatment Plan with Risk, Residual Risk, Replacement value etc.,

Question:

1. Can I combine Risk Register for ISO 9001, ISO 20000 and ISO 27001?
2. Is Risk Analysis and Risk Treatment documents required separately? or can it be combined with Risk Register.

Any help is appreciated.

A Quick Bump!

Can someone help?

Thank you!!

Ramaiyer said:

<snip>
Question:

1. Can I combine Risk Register for ISO 9001, ISO 20000 and ISO 27001?
2. Is Risk Analysis and Risk Treatment documents required separately? or can it be combined with Risk Register. </snip>

Click to expand...

1 Certainly you can have a combined register. So long as the register covers all the 27k risks and you can show them.
2 A combined register with analysis and treatment included is also permissible.

The important thing in all this is it works for you. If it is simple and obviously fits with how you work then anyone from outside should commend you for a neat solution.

Hope this helps.

Adding to Mr. Paul's comments:

1. Risk identification and management methodology should be standardized in organization to facilitate comparative analysis and prioritization of actions
2. Having too many platforms/forums for managing risks may lead to the risk of reinvention of wheel and at times collateral risks managed by different forums using different resources - This may have cost implication


To get other as well to aid to your risk management, make Information security risks as one of the parameters other than the conventional "Time, Cost, Safety and Quality".

Best of luck

Ramaiyer said:

Hi All,
Background:


Question:

1. Can I combine Risk Register for ISO 9001, ISO 20000 and ISO 27001?
2. Is Risk Analysis and Risk Treatment documents required separately? or can it be combined with Risk Register.

Any help is appreciated.

Click to expand...

Ramaiyer;

Yes you can do and it would be a good idea to do it. That way the problem and the solution are in the one document and on the one line. You should ensure that the control actions result in a lower level of risk otherwise the risk treatment cannot be seen to be effective.

Also bear in mind that the consequence of the risk always remains the same, only the likelihood reduces.

I suggest your columns would be
Risk
likelihood
consequence
current controls
new risk treatment
residual risk after treatment

Your risk assessment matrix tool should show that high numbers = high risk consequence and likelihood and low numbers low risk.

High risks/consequence will red squares, medium risk will be yellow and low risks, green. This would mean that your red squares & numbers would be in top right and low score low risk green squares in the bottom left. See attached

You will need to define your own actions that are to be taken for each of the colours in relation to safety and envrionmental actions.

Thanks to you all. Excellent suggestions. I will go ahead and consolidate all the documents.