Just wondering if Risk Management in 27001 differs in anyway from the 31000:2018 as far as the methodology.
IE should IS Risks under 27001 be managed differently to other business risks which typically fall under 31000?
Assign topic to the user
Please note that ISO 27001 only defines requirements for a risk assessment and risk treatment process, while ISO 31000 defines a methodology.
ISO 27001 has a note just after clause 6.1.3 informing that its risk assessment and treatment process is aligned with ISO 31000.
These articles will provide you a further explanation about risk management:
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
- How to address opportunities in ISO 27001 risk management using ISO 31000 https://advisera.com/27001academy/blog/2018/04/13/how-to-address-opportunities-in-iso-27001-risk-management-using-iso-31000/
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This material will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Nov 25, 2020