Expert Advice Community

Home / ISO 27001 & 22301 / Non-risk related reasons for undertake work

Guest

Non-risk related reasons for undertake work

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   May 24, 2019 Last commented:   May 24, 2019

Non-risk related reasons for undertake work

ISO 27001 & 22301
Risk management is not the only reason firms undertake work - how do we account for Continuous Improvement that has a "non-risk" source. We maintain a Security Work tool internally which we often define work in, where the work did not come from a clear and articulated risk. Any thoughts on how to handle "general input" workload like this? Do ISO auditors assume everything must be initially articulated as a risk?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal May 24, 2019

Answer:

In a general manner, security related actions can be driven by these reasons:
- the existence of unacceptable risks (as you already mentioned)
- the existence of legal requirements (e.g., contracts, laws and regulations), demanding a security action
- a top management decision, based on a business need or on a market best practice

The last two bullets do not have to be initially related to risks (but at some point you can identify some), neither do ISO auditors will require every action to be related to risks.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 24, 2019

May 24, 2019

Suggested Topics
Guest user Created:   Sep 29, 2023 ISO 27001 & 22301
Replies: 1
0 0

Can a company be certified by someone who works for them?
Guest user Created:   Jul 04, 2023 ISO 27001 & 22301
Replies: 1
0 0

How to keep being trained and skilled and best way to find work?
Guest user Created:   May 01, 2023 ISO 27001 & 22301
Replies: 1
0 0

How to register to work in cyber security?