Risk Management Alignment Among ISO31000, ISO27001, ISO22301 & ISO9001

First is important to note that ISO 9001, ISO 22301, and ISO 27001 do not prescribe any methodology for risk assessment and risk treatment, so you can adopt the methodology that better fits your context. As for ISO 31000, it defines a general framework for risk management that can be applied to organizations of any industry and size, based on this core process: risk identification, risk analysis, risk evaluation, and risk treatment.

Considering that, you should adopt the “global definition, local implementation” approach, i.e., which aspects need to be used in all situations, and which ones are used in specific situations.

For example, for risk identification, depending on how you need to look at the risk (e.g., in terms of information security, business continuity, quality, or organization) one approach can be better than another (the most common approaches are asset-based, process-based and scenario-based). This is a step you should consider in local terms for execution (i.e., which approach to use) but ensuring the participation of personnel with competence in all perspectives, ensure a holistic view, and avoid reassessment.

On the other hand, for risk analysis and risk evaluation, you need to have a global definition, because without that you will be unable to compare risks from different perspectives. This can be achieved by using the same risk formula and scale in all approaches (e.g., risk equals to impact times likelihood, and scale very low to very high, or 1 to 5), and normalizing the meaning of the scales considering all your perspectives. For example, what an impact value of 1 means to information security, business continuity, quality, and to the organization?

If you have the same formula and the same scale used for all identified risks, regardless of how you identified them, you will be able to compare them (and this will save you the time and effort in overlapping assessments).

As for risk treatment, you should define general treatment options (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transfer), so you can have a holistic view of applied treatments, and define specific sets of potential implementation solutions since what is applicable for information security may not be applicable to quality.

By following this approach, you can ensure all risks can be related, improving risk management effectiveness, decrease the effort and need for reassessments, improving risk management efficiency, and keep the independent goals of each risk assessment/management.

These articles will provide you a further explanation about risk management:
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/

This material will also help you regarding risk management:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/