BLACK FRIDAY DISCOUNT
Get 30% off on toolkits, course exams, Conformio, and Company Training Academy yearly plans.
Limited-time offer – ends December 2, 2024
Use promo code:
30OFFBLACK

Expert Advice Community

Guest

Risk identification

  Quote
Guest
Guest post Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Risk identification

Hello, When identifying risks, do we have to take into account those risks that are obvious and are already solved? Like for example: - electricity cut, if the organization has already a generator and it enters in activity automatically? - disk back up if it connects automatically? - internet cut, if we have a two providers and when one has problems we use the other one?
0 0

Assign topic to the user

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

Guest
Guest post Jan 12, 2016

aquirini said

Hello,
When identifying risks, do we have to take into account those risks that are obvious and are already solved? Like for example:
- electricity cut, if the organization has already a generator and it enters in activity automatically?
- disk back up if it connects automatically?
- internet cut, if we have a two providers and when one has problems we use the other one?

Thank you very much,
Alejandrina

Quote
0 0
Guest
DejanK Jan 12, 2016

Dear Alejandrina,

Yes, you should take into account all the risks, including those that are currently low. This needs to be done because (1) you can measure the same risk next year since it may increase in the mean time, and (2) this way you make sure you won't miss some less obvious related risks.

Quote
0 0
Guest
Guest post Jan 12, 2016

Dear Dejan,

Thank you very much for your answer. Sorry that I insist on the topic, but some of the Area managers don´t want to "write down" procedures that they think are obvious. So I would like to give them "stronger" reasons that I can find by myself. They say that if they have an "automatic" contingency to a risk (no matter if it is low or high) they don´t need to write anything else since the don´t need to do anything different. For example when the electricity cuts down, the generators starts working without any human intervention. Also for example if some IT disk have troubles and they have a parallel back up that is usual and mandatory for the IT industry?
I really think that they have to identify that risk in order to maintain the contingency and improve it. Is that right? Which is the "limit" to detect small or big risks?
Thank you very much in advance,
Alejandrina

Quote
0 0
Guest
DejanK Jan 12, 2016

Alejandrina,

You need to identify all risks, big and small.

But identifying the risk does not mean you have to write procedures - if some of your processes are running smoothly without writing them down, then there is no reason to change anything. The essence of ISO 27001 is not about writing documents; it is about setting the rules which will increase the level of security - those rules can be either documented or undocumented.

Quote
0 0
Guest
Guest post Jan 12, 2016

Thank you Dejan. Does the same criteria of "setting rules without writting document" applies to ISO 22301?

Quote
0 0
Guest
DejanK Jan 12, 2016

Only up to a point, ISO 22301 is more strict on what must be documented.

In these two articles you'll find everything that must be documented, everything else may be documented only if you make such a decision:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics

Guest user Created:   Nov 09, 2017 ISO 27001 & 22301
Replies: 1
0 0

IT risk identification

Guest user Created:   Feb 20, 2023 ISO 27001 & 22301
Replies: 1
0 0

Risk Assessment Question

Guest user Created:   Oct 04, 2022 ISO 27001 & 22301
Replies: 3
0 0

Question on risk assessment