Kamil Created: Jul 22, 2021 Last commented: Jul 23, 2021

Risk owner problem

Hello, With reference to the risk assessment methodology (risk assessment for ISO 22301 purposes). Who is the owner of the risk if the company to be analyzed uses IT solutions provided by a related company in the capital group? Example: Company X (it is subject to risk analysis in connection with ISO22301) uses an accounting program. Company Y (an IT company from a capital group) provides the program. Will the asset owner, for example, be the IT Director of company Y, and the Accounting Director of company X the owner of the risk? Who should assess the risk for company X in this case? I think he's an employee of Company X, but I'd like to make sure. Best regards,

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jul 23, 2021

Your assumptions are correct.

The best is for the risk owner to be the role more interested in treat the risk and with enough authority to do something about it, in this case, the Accounting Director of company X. As for the person to perform risk assessment, you should consider the person with the most knowledge about the accounting program and related processes (in general this person is known as the key user).

This article will provide you a further explanation about risk owners:

Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

Quote

0 1

Kamil Jul 23, 2021

Thank you!

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jul 22, 2021

Jul 23, 2021

Expert Advice Community