Two risk assessments for ISMS

Richard Regalado

Trusted Information Resource
#1
Many are confused on the requirements for risk assessment for the ISO/IEC 27001 information security management system standards. The requirements for risk appear in two sections of the Standard.

In Section 6.1.1, the requirement states:

When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
6.1.1 General
a) ensure the information security management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects; and
c) achieve continual improvement.
In Section 6.1.2.c, the requirement states:

c) identifies the information security risks:
1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
2) identify the risk owners;
Note that the above requirements are pertaining to different things. 6.1.1 is asking the organization to consider the risks and opportunities to the information security management system (ISMS). While in 6.1.2.c, it is asking the organization to identify the information security risks.

The best approach is to have a separate risk assessment for the above requirements.

Risk and Opportunities to the ISMS

ISMS risks
- the person in-charge of the ISMS may leave the organization, and no one else is knowledgeable in managing it.​
- the organization may run out of budget​
- the added workload of the nominated people to build the ISMS may have a negative effect on the business​
- the organization may have a change of heart, stop the implementation, and in doing so, a lot of resources may be wasted​
ISMS opportunities
- greater market share due to confidence offered to the customers​
- better chances of passing regulatory audits​
- awareness on information security matters could mean less cost in handling and managing breaches​
- 3rd-party certification may be sought​

Information security risks
- lack of awareness program may lead to employees committing breaches when using the internet​
- lack of logical security may lead to unauthorized disclosure of confidential information​
- lack of physical security may lead to theft and pilferage of trade secrets printed on paper​
- lack of anti-virus software may lead of system downtime​
- lack of back-up process may lead of process delays when information is deleted​
- incorrect coding may lead to errors when applications go live​
- improper termination of cables may lead to transmission errors​
- delays in patching may lead of unauthorized access to network resources​
The above is not addressing the entire risk asessment requirements but could point implementers to the right direction. In my next post, I will share actual examples on how to document both requirements.

Feedback is fuel for improvement, therefore is anticipated.
 
Elsmar Forum Sponsor
Thread starter Similar threads Forum Replies Date
Enghabashy Supply chain main policies ,scope, risk assessments & relavant KPI Supply Chain Security Management Systems 2
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
Moncia All the risk assessments - ISO 9001:2015 requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
S Excipient Manufacturers - Supplier Risk Assessments when they refuse Customer Audits Supplier Quality Assurance and other Supplier Issues 5
R Risk Assessments, Packaging Qualification and Equipment Modifications Manufacturing and Related Processes 3
C Own Brand Labellers Manufacturer's Products (Class I and IIa) and Risk Assessments EU Medical Device Regulations 3
P ISO27001 - Risk Assessments Other ISO and International Standards and European Regulations 5
T Software Supplier Risk Assessments General Auditing Discussions 0
Q Risk Controls in PFMEA ISO 14971 - Medical Device Risk Management 12
D What do you think of Chat GPTs answer to this Risk Acceptability question? ISO 14971 - Medical Device Risk Management 4
M Risk-based approach to Test Method Validation for Design Verification? US Medical Device Regulations 4
N Effective use of a Risk Register - Bumper sticker or Mission Control ? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
Q Risk Management ISO 14971 - Probability of Occurrence ISO 14971 - Medical Device Risk Management 8
Z Risk Management SOP ISO 14971 ISO 14971 - Medical Device Risk Management 1
M Risk Management Plan ISO 14971 - Medical Device Risk Management 4
J Risk, contingency, and MOC. General Auditing Discussions 1
K Help with ISO 14971: Benefit-Risk Analysis ISO 14971 - Medical Device Risk Management 3
T AS9100D Risk-Based Internal Audit Schedule AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
thisby_ Installation Related Issues and Risk Management ISO 14971 - Medical Device Risk Management 5
W Reconciling FMEA RPN ratings with Risk Acceptability ISO 14971 - Medical Device Risk Management 19
D How to address the content deviation of 'cannot apply criteria of risk acceptability prior to...' ISO 14971 - Medical Device Risk Management 1
Doninina Risk management file according MDR or ISO 14971:P2019 ? EU Medical Device Regulations 2
T Risk based CA AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
T IVD Risk - destruction of patient samples - Harm to property? ISO 14971 - Medical Device Risk Management 5
E Do anyone have document of automotive production risk and control of risk? Lean in Manufacturing and Service Industries 1
R Using RPN to Confirm Risk Reduced to an Acceptable Level Risk Management Principles and Generic Guidelines 12
T IVD Device Software - Risk Classification IEC 62304 - Medical Device Software Life Cycle Processes 16
G Help:Risk Management - Accessories US Food and Drug Administration (FDA) 1
N Writing Risk Management procedure for small manufacturing and we don't know where to start. Manufacturing and Related Processes 9
E How to risk assess tooling? For a medical device and is it needed??? Manufacturing and Related Processes 2
M Clinical evaluation interface with the risk management process EU Medical Device Regulations 9
L Risk analysis Manufacturing and Related Processes 4
J Risk Analysis for Proficiency Testing Reliability Analysis - Predictions, Testing and Standards 1
J ISO 10993-1:2018 Format to Perform Risk Management Process US Food and Drug Administration (FDA) 1
B Risk Management Procedure updates needed for 14971:2019 ISO 14971 - Medical Device Risk Management 11
M What is the Risk of Using Obsolete Versions of C=0 & ANSI/ ASQ Z1.4 Sampling Plans? ISO 13485:2016 - Medical Device Quality Management Systems 8
D AS9100D 8.4.2 Note 2 Significant Operational Risk AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
A Calculating Risk Estimation ISO 14971 - Medical Device Risk Management 29
M Intended Use vs Actual Use and Scope of Risk Management EU Medical Device Regulations 8
S IDCB 0129/0160 Clinical Risk Management ISO 14971 - Medical Device Risk Management 2
H At what level (harm, hazardous situation, seq. of events, etc) is "risk" estimated? ISO 14971 - Medical Device Risk Management 12
A Risk Management Team IEC 60601 - Medical Electrical Equipment Safety Standards Series 11
S Risk Management File - Procedure Packs ISO 14971 - Medical Device Risk Management 3
B ISO 14001 Risk assesment ISO 14001:2015 Specific Discussions 4
J What risk to cover when NOT using ISO 17025 accredited/certified labs for calibration ISO 17025 related Discussions 3
G Risk Management for IEC 60601-1 and IEC 60601-1-2 IEC 60601 - Medical Electrical Equipment Safety Standards Series 15
S What is your favorite Usability Risk Analysis tool? IEC 62366 - Medical Device Usability Engineering 5
T Assessing risk where harm is indirect - Generic devices / accessories / intermediates ISO 14971 - Medical Device Risk Management 8
K Do you have separate clinical risk management group or experts in your manufactures? EU Medical Device Regulations 4
W IATF 9.2.2.1 Internal Audit how to determine risk IATF 16949 - Automotive Quality Systems Standard 12

Similar threads

Top Bottom