Opportunities in the methodology of risk assessment?
Assign topic to the user
Kindly tell me one easy way to do it to fulfill the requirement of the standard. like can i describe that in the manual that opportunities are identified in the objectives and KPIs are set to achieve those objectives; opportunities?
Answer:
No, it is not necessary to put something related to opportunities in the methodology of risk assessment, because risks and opportunities are related to the objectives, and any action that you take, that is related to the achievement of the security objectives, but is not related to the risk management, can be considered to be addressing the opportunities. An example related to an opportunity can be: Your organization buys a cheap firewall which gives to your organization the opportunity to reduce risks, but this firewall can also produce increased risks due to low quality of the device.
One easy way to fulfill this requirement, related to opportunities, of the standard, is that you can document such actions in your Management review minutes, in corrective actions, or any other records or documents that you use in your company (for example actions agreed through email), but from my point of view the methodology of risk assessment is not the best way.
And keep in mind that you should document your general information security objectives in the information security policy, and control specific information security objectives in the SOA (Statement of Applicability).
For more information about the objectives, please read this article “ISO 27001 control objectives – Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
And our online course can be also interesting for you because we give detailed information about addressing risks and opportunities “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Mar 09, 2016