Expert Advice Community

Guest

27001 Corporate Risk Management

  Quote
Guest
Lead Auditor Created:   Apr 04, 2020 Last commented:   Apr 07, 2020

27001 Corporate Risk Management

Hello,

I've recently come across the corporate risk management approach that centres around risk identification on the departmental (business function) level. High impact risks are then transfered to the high level corporate risk register. 

For example, the Finance identified the risk to electronic data loss and integrity, the applied control is A 12.3.1 Back up. They embed the control in Finance only. I think it's wrong as the control should be applied to other departments of the organsiation as well within the scope of the ISMS, even though the risk was raised by the Finance that doesn't mean it doesn't exist for IT or HR areas. Therefore, the risk management is incomplete. In my view, the consolidated register of all IS risks (based on all departments) should be created to cover all risks to CIA and embed all applicable controls accordingly. It would be useful to hear your opinions. Thank you very much!

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 07, 2020

The objective of ISO 27001 is to protect the information assets included in the ISMS scope, regardless where they are or in what media they are stored.

Considering that, even if the risk was identified by Finance, if the related information asset is also handled by IT or HR, the organization must ensure proper controls are applied in all these departments.

 Regarding the risk register, the standard does not prescribe how it should be created, so both centralized and decentralized registers are acceptable, and you should evaluate the pros and cons of each approach. For example, a centralized approach can make the identification of situations you mentioned easier, but a decentralized approach is better to restrict access to risks that should be known only by a specific department or group of persons.

These articles will provide you further explanation about scope and risk assessment:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 04, 2020

Apr 06, 2020

Suggested Topics

Guest user Created:   Mar 11, 2021 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content

Guest user Created:   Jun 03, 2020 ISO 27001 & 22301
Replies: 0
0 0

ISO/IEC ISMS 27001 Annex A

Guest user Created:   Jun 03, 2020 ISO 27001 & 22301
Replies: 1
0 0

ISO/IEC ISMS 27001 Annex A