Management decisions
Assign topic to the user
Answer: Considering ISO 27001, top management can previously define under which circumstances can the rules (i.e., processes or controls) be bypassed, and must ensure that relevant information related to those decisions are recorded (e.g., a risk assessment). If you can provide such circumstances and evidences the situation is ok.
The situation you should be worried about is if bypass situations happen often, because this would means that the information security management system is not properly aligned with business expected outcomes, and that is a problem, generally related to the perception of the risks the organization is will ing to take, also called risk appetite. I this case, what top management can do is to change policies or procedures as they think is needed.
This article will provide you further explanation about risk appetite:
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
These materials will also help you regarding risk appetite:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Apr 14, 2017