Risk identification

aquirini said

Hello,
When identifying risks, do we have to take into account those risks that are obvious and are already solved? Like for example:
- electricity cut, if the organization has already a generator and it enters in activity automatically?
- disk back up if it connects automatically?
- internet cut, if we have a two providers and when one has problems we use the other one?

Thank you very much,
Alejandrina

Dear Alejandrina,

Yes, you should take into account all the risks, including those that are currently low. This needs to be done because (1) you can measure the same risk next year since it may increase in the mean time, and (2) this way you make sure you won't miss some less obvious related risks.

Dear Dejan,

Thank you very much for your answer. Sorry that I insist on the topic, but some of the Area managers don´t want to "write down" procedures that they think are obvious. So I would like to give them "stronger" reasons that I can find by myself. They say that if they have an "automatic" contingency to a risk (no matter if it is low or high) they don´t need to write anything else since the don´t need to do anything different. For example when the electricity cuts down, the generators starts working without any human intervention. Also for example if some IT disk have troubles and they have a parallel back up that is usual and mandatory for the IT industry?
I really think that they have to identify that risk in order to maintain the contingency and improve it. Is that right? Which is the "limit" to detect small or big risks?
Thank you very much in advance,
Alejandrina

Alejandrina,

You need to identify all risks, big and small.

But identifying the risk does not mean you have to write procedures - if some of your processes are running smoothly without writing them down, then there is no reason to change anything. The essence of ISO 27001 is not about writing documents; it is about setting the rules which will increase the level of security - those rules can be either documented or undocumented.

Thank you Dejan. Does the same criteria of "setting rules without writting document" applies to ISO 22301?

Only up to a point, ISO 22301 is more strict on what must be documented.

In these two articles you'll find everything that must be documented, everything else may be documented only if you make such a decision:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/