Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Enterprise risk management and ISO 27001

1. The revised standards refers to ISO 31000 to conduct risk assessment which mean to take the risk assessment in Enterprise perspective rather asset base. Further if we go by asset base, we might not identify the enterprise level security risk in macro view or top down risk. eg: reputational, image, loss of competiveness, Lost of strategic opportunities etc.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

2. The revised standard expect to incorporate the information security risk with the other enterprise level risk framework

Given the above two expectation, can you pls elaborate how we could integrate the asset base approach and enterprise level risk?

Answer:

First of all, ISO 31000 is not mandatory for ISO 27001:2013 - see this article: ISO 31000 and ISO 27001 How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

Second, information security risks are only a subset of enterprise risks - therefore, you cannot cover all the enterprise risks with information security risk assessment.

Therefore, in my opinion the bes t solution is to use more detailed methodology (e.g. asset based or similar) for information security risk assessment, and use some other methodology for other risks in your company.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community