What is the exact difference between Risk and Opportunity in context of ISO 27001?

patkim

Registered Visitor
#1
Hi All,
ISO 27001:2013 defines planning for Risks and Opportunities. It's bit confusing to understand Opportunity as a positive risk.
Unfortunately there's no documented definition of Opportunity available in ISO 27000 vocabulary.

Can someone help me understand the exact difference between Risk and Opportunity in the context of ISO 27001, preferably in layman terms?
Thanks and regards.
 

AndyN

A problem shared...
Staff member
Super Moderator
#2
Risk is the effect of uncertainty (on something).

Opportunity might be, for example, to adopt "Industry 4.0" in a business. Using robots, big data, virtual reality, and so on may save an organization millions... but there's risk involved!
 

patkim

Registered Visitor
#3
Thanks for the clarity. When ISMS standard says Identify Risk and Opportunities, are the two supposed to be interrelated or can they be independent?
Can a Risk mitigation lead to an Opportunity or can I just independently identify say adoption of Industry 4.0 as an opportunity?
 

John Broomfield

Staff member
Super Moderator
#4
As with every other part of your system they are linked. Indeed, the interactions between opportunity and risk are fundamental to the success of your organization working as a system of interacting parts to fulfill its purpose or mission.
 

AndyN

A problem shared...
Staff member
Super Moderator
#6
Thanks for the clarity. When ISMS standard says Identify Risk and Opportunities, are the two supposed to be interrelated or can they be independent?
Can a Risk mitigation lead to an Opportunity or can I just independently identify say adoption of Industry 4.0 as an opportunity?
They can be related. With some (business) opportunities, there may be risk. Conversely, not all risks are associated with opportunities.
 

smohanarangan

Starting to get Involved
#7
Thanks for the clarity. When ISMS standard says Identify Risk and Opportunities, are the two supposed to be interrelated or can they be independent?
Can a Risk mitigation lead to an Opportunity or can I just independently identify say adoption of Industry 4.0 as an opportunity?
Wherever there is risk you have opportunity to mitigate it. Opportunities can also be collected from various other inputs like audit finding especially on suggestion for improvement and also ideas that taken in for continual improvements.
 

John Broomfield

Staff member
Super Moderator
#8
Usually the bigger opportunities are taken to realize the purpose of the organization. In doing this organizations are planning to determine what is likely to impede their progress. They then take action to mitigate these risks.

Opportunities come with risks.
 

Top Bottom