Psychology within the scope of risk treatment and analysis
Thanks for the update on the course. I have a project that is still in development and I was wondering if you had any information on the issue of psychology within the scope of risk treatment and analysis. If we're going to build the profile of a job that contains a risk at any level either within the task sequence or the individual assessment of the task, how do we determine the responsible strategy of analysis of the situation.
Assign topic to the user
Psychology within risk treatment is out of our field of expertise, but in a general way, for every risk where the human factor is involved, you should consider means, motivation, and opportunity when analyzing a situation. By elimination of these elements from the situation, you can decrease the risk, and for controls, you should consider:
- definition of roles, responsibilities, and authorities, so people understand what is expected from them (this provide guidelines for the other two practices)
- awareness and training, so people understand why information security is important, the consequences of incidents, and how to perform their activities (this decreases motivation)
- segregation of duties, so a single person cannot perform all required task (this decrease means and opportunities).
These articles will provide you a further explanation:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
Comment as guest or Sign in
Sep 22, 2020