Hello,
I've recently come across the corporate risk management approach that centres around risk identification on the departmental (business function) level. High impact risks are then transfered to the high level corporate risk register.
For example, the Finance identified the risk to electronic data loss and integrity, the applied control is A 12.3.1 Back up. They embed the control in Finance only. I think it's wrong as the control should be applied to other departments of the organsiation as well within the scope of the ISMS, even though the risk was raised by the Finance that doesn't mean it doesn't exist for IT or HR areas. Therefore, the risk management is incomplete. In my view, the consolidated register of all IS risks (based on all departments) should be created to cover all risks to CIA and embed all applicable controls accordingly. It would be useful to hear your opinions. Thank you very much!
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
The objective of ISO 27001 is to protect the information assets included in the ISMS scope, regardless where they are or in what media they are stored.
Considering that, even if the risk was identified by Finance, if the related information asset is also handled by IT or HR, the organization must ensure proper controls are applied in all these departments.
Regarding the risk register, the standard does not prescribe how it should be created, so both centralized and decentralized registers are acceptable, and you should evaluate the pros and cons of each approach. For example, a centralized approach can make the identification of situations you mentioned easier, but a decentralized approach is better to restrict access to risks that should be known only by a specific department or group of persons.
These articles will provide you further explanation about scope and risk assessment:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Comment as guest or Sign in
Apr 06, 2020