Expert Advice Community

Guest

Risk management

  Quote
Guest
Guest user Created:   Feb 06, 2019 Last commented:   Feb 06, 2019

Risk management

1 - I have a query, is there any difference between third party risk management and usual Risk management?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 06, 2019

Answer: Risk management means polices, procedures, and practices for identifying, analyzing, evaluating, and treating risks, and this can be done through different approaches (e.g., ISO 27005 - a supporting standard for ISO 27001, ISO 31000, NIST Cyber Security Framework, etc.). Considering that, you should evaluate the approaches used on what you call usual Risk management and third party risk management to see if they are in fact different.

For example, if usual Risk management is based on ISO 27005 and third party risk management is based on ISO 31000 then they are very similar. In the other hand, if usual Risk management is based on ISO 27005 and third party risk management is based on NIST CSF, they have considerable differences.

These articles will provide you more information:
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
- Which one to go with – Cybersecurity Framework or ISO 27001? https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/

2 - And how about taking a job in Risk management and taking a job of being an IT auditor, when you have these two offers in hand, what do you think which one to go with as per your advise?

About me -- I have 4 years experience in ITGC and SOX implementation and monitoring. Currently looking for better opportunities which help me in exploring myself into Cyber security domain.

Answer: Your choice will depend on your professional objectives. If you want to work establishing a secure environment, you should consider the risk management offer. On the other hand, if you want to work to ensure implemented controls are properly implemented and bringing expected results, then you should consider the IT auditor offer. Your background allows you to choose both ways.

This article will provide you further explanation about becoming an auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/

This material will also help you regarding becoming an auditor:
- ISO 27001:2013 Lead Auditor Course https://training.advisera.com/se/iso-14001-internal-auditor-course/o-27001-lead-auditor-course/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 06, 2019

Feb 06, 2019