ISO27001 - Risk Assessments

P

PaulPML - 2010

#1
I've just started implementation of this standard, to which I'm quite new, though familiar with other ISO standards.

An initial gap analysis has revealed those areas where there is some overlap with the existing integrated management system, and where there are huge gaping holes.

The next step is risk assessment. How far is this expected to go? I mean, realistically you could fill 100s of pages and try and cover every eventuality, but end up listing most of it as "chalk it down to experience". For example, use of memory sticks, emailing documents, emailing anything, IT specialists access to s ervers etc? Where do you stop? I don't want to spend the rest of 2009 doing a risk assessment? But at the same time I don't want to gloss over it. Any hints?

Also, in terms of the risk treatment programme (is it possible to just get some tablets for it?) can we make use of the "reasonable practicable" defence, i.e. if it takes an unreasonable amount of time/money to plug a hole, then accept it can't be done.

I realise that's a lot of questions, but any light that can be shed I'd be grateful!

Cheers....
 
Elsmar Forum Sponsor
H

Hodgepodge

#2
Risk management should be used to select the KEY, or critical, processes or characteristics, from all of the possibilities. Ask yourself:
How severe are the problems that could arise? Don’t nickel and dime yourself to death.
How often does nonconformance in this area occur? If you’ve never had a problem before, then I wouldn’t start looking here, save this for later.
How easy is it to determine if nonconformance has occurred? If you aren’t tracking or measuring your processes, do you know much time and money could be saved?
To get started in risk assessment, categorize your risks. Generalize. Figure out which processes you aren’t performing and which of these missing processes are likely to cause nonconformance. Weigh the cost vs. benefit of addressing these categories and processes and the riskiest will stand out. These are the areas you attack first.
When starting out with risk assessment, you can’t know everything. You label and generalize and start tracking process performance. The procedures/work instructions that will be created as you proceed will cover the minutiae. Try not to let personal perception determine risk. You and I may have differing opinions of what is risky and what is not. The more your processes can be measured. The easier it will be to be objective and determine which risks to address first. Subjectivity can be the cause of many misdirected and misguided hours, leaving greater risks unattended.
Set up some objectives for the risk assessment process. This might help you from getting too sidetracked. Compliance with the standard is important, of course, but don’t forget the purpose of a QMS is to add value to a company, not tie its hands with red tape.
 
P

PaulPML - 2010

#3
Thanks for the info. I tried to take a more overarching approach using mindmapping to identify all those areas that might be a risk and how they interact - unsurprisingly in terms of information security people tend to provide the biggest risk!!
:thanx:
 

Richard Regalado

Trusted Information Resource
#6
Risk management should be used to select the KEY, or critical, processes or characteristics, from all of the possibilities. Ask yourself:
How severe are the problems that could arise? Don’t nickel and dime yourself to death.
How often does nonconformance in this area occur? If you’ve never had a problem before, then I wouldn’t start looking here, save this for later.
How easy is it to determine if nonconformance has occurred? If you aren’t tracking or measuring your processes, do you know much time and money could be saved?
To get started in risk assessment, categorize your risks. Generalize. Figure out which processes you aren’t performing and which of these missing processes are likely to cause nonconformance. Weigh the cost vs. benefit of addressing these categories and processes and the riskiest will stand out. These are the areas you attack first.
When starting out with risk assessment, you can’t know everything. You label and generalize and start tracking process performance. The procedures/work instructions that will be created as you proceed will cover the minutiae. Try not to let personal perception determine risk. You and I may have differing opinions of what is risky and what is not. The more your processes can be measured. The easier it will be to be objective and determine which risks to address first. Subjectivity can be the cause of many misdirected and misguided hours, leaving greater risks unattended.
Set up some objectives for the risk assessment process. This might help you from getting too sidetracked. Compliance with the standard is important, of course, but don’t forget the purpose of a QMS is to add value to a company, not tie its hands with red tape.

ISO/IEC 27001 presents the steps in the conduct of risk assessment. It starts with asset identification. Identify all your information assets and their asset owners. Then you can go with the rest of the steps - threat and vulnerability identification, damage, likelihood, etc.

The values you will use for risk assessment shall ensure comparability throughout the organization. An activity which I call "levelling of risks" should be done after the risk assessment to avoid discrepancies in the output. For example, one department may classify their printer as high risk because they have only 1 and another department may classify it differently.
 
Thread starter Similar threads Forum Replies Date
A Becoming an ISO27001 3rd Party Auditor Career and Occupation Discussions 4
H ISMS (information security management system) Manual ISO27001:2013 Example wanted IEC 27001 - Information Security Management Systems (ISMS) 6
C ISO27001 - Document Creation and Approval Requirements IEC 27001 - Information Security Management Systems (ISMS) 4
A Management Representative and Information Security Officer for ISO27001 IEC 27001 - Information Security Management Systems (ISMS) 3
B ISO 17025:2017 risk management Risk Management Principles and Generic Guidelines 0
Q FMEA and Risk assessment in MS ACCESS FMEA and Control Plans 2
I Realization processes input into overall risk ISO 14971 - Medical Device Risk Management 2
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
thisby_ Post Market/Production Risk Assessment ISO 14971 - Medical Device Risk Management 0
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 11
C Risk Assessment Tools ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
qualprod Examples to mitigate risk from Covid ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
G Risk of stopping your customer's line IATF 16949 - Automotive Quality Systems Standard 4
C Risk Matrix vs FMEAs ISO 14971 - Medical Device Risk Management 5
S IVD risk class II devices for Brazil and MDSAP Other Medical Device Regulations World-Wide 0
M ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 6
M ISO14971:2019 - Verification of implementation and effectiveness of risk control ISO 14971 - Medical Device Risk Management 3
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
S Traceability of requirements to design and risk Design and Development of Products and Processes 3
R Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
_robinsingh Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
A 21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
bryan willemot Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
D Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 2
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
E Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2

Similar threads

Top Bottom