Expert Advice Community

Guest

Opportunities in the methodology of risk assessment?

  Quote
Guest
Guest user Created:   Mar 09, 2016 Last commented:   Mar 09, 2016

Opportunities in the methodology of risk assessment?

I am confused because I created one information security risk management procedure which is the methodology of risk assessment; Do I need to put something related to opportunities in that procedure or not? and do i need to add something in my risk register? like opportunities?
0 0

Assign topic to the user

ISO 27001 RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY

Define main rules for risk assessment and treatment.

ISO 27001 RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY

Define main rules for risk assessment and treatment.

Guest
Antonio Jose Segovia Mar 09, 2016

Kindly tell me one easy way to do it to fulfill the requirement of the standard. like can i describe that in the manual that opportunities are identified in the objectives and KPIs are set to achieve those objectives; opportunities?

Answer:
No, it is not necessary to put something related to opportunities in the methodology of risk assessment, because risks and opportunities are related to the objectives, and any action that you take, that is related to the achievement of the security objectives, but is not related to the risk management, can be considered to be addressing the opportunities. An example related to an opportunity can be: Your organization buys a cheap firewall which gives to your organization the opportunity to reduce risks, but this firewall can also produce increased risks due to low quality of the device.

One easy way to fulfill this requirement, related to opportunities, of the standard, is that you can document such actions in your Management review minutes, in corrective actions, or any other records or documents that you use in your company (for example actions agreed through email), but from my point of view the methodology of risk assessment is not the best way.

And keep in mind that you should document your general information security objectives in the information security policy, and control specific information security objectives in the SOA (Statement of Applicability).

For more information about the objectives, please read this article “ISO 27001 control objectives – Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

And our online course can be also interesting for you because we give detailed information about addressing risks and opportunities “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 09, 2016

Mar 09, 2016