Two risk assessments for ISMS

Richard Regalado

Richard Regalado

Trusted Information Resource
Many are confused on the requirements for risk assessment for the ISO/IEC 27001 information security management system standards. The requirements for risk appear in two sections of the Standard.

In Section 6.1.1, the requirement states:

When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
6.1.1 General
a) ensure the information security management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects; and
c) achieve continual improvement.
Click to expand...

In Section 6.1.2.c, the requirement states:

c) identifies the information security risks:
1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
2) identify the risk owners;
Click to expand...

Note that the above requirements are pertaining to different things. 6.1.1 is asking the organization to consider the risks and opportunities to the information security management system (ISMS). While in 6.1.2.c, it is asking the organization to identify the information security risks.

The best approach is to have a separate risk assessment for the above requirements.

Risk and Opportunities to the ISMS

ISMS risks
- the person in-charge of the ISMS may leave the organization, and no one else is knowledgeable in managing it.​
- the organization may run out of budget​
- the added workload of the nominated people to build the ISMS may have a negative effect on the business​
- the organization may have a change of heart, stop the implementation, and in doing so, a lot of resources may be wasted​
ISMS opportunities
- greater market share due to confidence offered to the customers​
- better chances of passing regulatory audits​
- awareness on information security matters could mean less cost in handling and managing breaches​
- 3rd-party certification may be sought​

Information security risks
- lack of awareness program may lead to employees committing breaches when using the internet​
- lack of logical security may lead to unauthorized disclosure of confidential information​
- lack of physical security may lead to theft and pilferage of trade secrets printed on paper​
- lack of anti-virus software may lead of system downtime​
- lack of back-up process may lead of process delays when information is deleted​
- incorrect coding may lead to errors when applications go live​
- improper termination of cables may lead to transmission errors​
- delays in patching may lead of unauthorized access to network resources​
The above is not addressing the entire risk asessment requirements but could point implementers to the right direction. In my next post, I will share actual examples on how to document both requirements.

Feedback is fuel for improvement, therefore is anticipated.
 
You must log in or register to reply here.

Similar threads

Richard Regalado
6.1 Actions to address risks and opportunities to the ISMS
Replies
0
Views
670
Richard Regalado
Richard Regalado
S
FDA Cybersecurity risk assessment
Replies
2
Views
493
summer
S
Richard Regalado
Informational ISO/IEC 27001:2022 has been published
Replies
0
Views
893
Richard Regalado
Richard Regalado
F
SI-8 8.4.2.3 Supplier quality management system development
Replies
7
Views
312
darkmago
D
S
Questions on Hazard Analysis (addition of similar hazardous situations, assessment of overall residual risk)
Replies
1
Views
120
Tidge
T
Top Bottom