Expert Advice Community


Risk Management Alignment Among ISO31000, ISO27001, ISO22301 & ISO9001

Guest user Created:   Feb 04, 2021 Last commented:   Feb 04, 2021

Risk Management Alignment Among ISO31000, ISO27001, ISO22301 & ISO9001

Thanks for your attention to my lengthy query.

Our organization has been practicing the below Risk Management:
1) Enterprise Risk Management -ERM (ISO31000) for the entire organisation
2) ISO22301 BCM Risk Assessment for entire organisation
3) ISO27001 Risk Assessment for the ICT Service Delivery department only)
4) ISO9001 Risk Management for a Call Centre

These Risk Management practices with different aspects have caused confusion in the organization;staff is asking why so many risk assessments? and also caused overhead in handling these practices.

I observe that the below:
1) Lot of overlapping risk assessment as some risks that are taken care at the ERM level are to be reassessed again at the other ISO aspects.

2) Different perspective of each Risk Assessment;e.g. ISO27001 at CIA with focus on critical assets, ISO22301 on Critical Business function or processes from continuity aspect, ISO9001 at the Service Quality aspect whereas ERM at the political, financial, competition, environmental, etc aspects

3) Scope of each Risk Assessment is varied from an enterprise-level to a specific core function level

We recognise this strength but also a weakness and plan to initialize a Risk Management alignment exercise.

Appreciate if you could share good advice in the alignment or normalisation of risk management approach with the below goals:
1. Improve the effectiveness of entire risk management with a holistic view
2) Improve the efficiency of entire risk management
3) Still maintaining the goal of each risk assessment / management

Hope to hear from you soon.

0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Feb 04, 2021

First is important to note that ISO 9001, ISO 22301, and ISO 27001 do not prescribe any methodology for risk assessment and risk treatment, so you can adopt the methodology that better fits your context. As for ISO 31000, it defines a general framework for risk management that can be applied to organizations of any industry and size, based on this core process: risk identification, risk analysis, risk evaluation, and risk treatment.

Considering that, you should adopt the “global definition, local implementation” approach, i.e., which aspects need to be used in all situations, and which ones are used in specific situations.

For example, for risk identification, depending on how you need to look at the risk (e.g., in terms of information security, business continuity, quality, or organization) one approach can be better than another (the most common approaches are asset-based, process-based and scenario-based). This is a step you should consider in local terms for execution (i.e., which approach to use) but ensuring the participation of personnel with competence in all perspectives, ensure a holistic view, and avoid reassessment.

On the other hand, for risk analysis and risk evaluation, you need to have a global definition, because without that you will be unable to compare risks from different perspectives. This can be achieved by using the same risk formula and scale in all approaches (e.g., risk equals to impact times likelihood, and scale very low to very high, or 1 to 5), and normalizing the meaning of the scales considering all your perspectives. For example, what an impact value of 1 means to information security, business continuity, quality, and to the organization?

If you have the same formula and the same scale used for all identified risks, regardless of how you identified them, you will be able to compare them (and this will save you the time and effort in overlapping assessments).

As for risk treatment, you should define general treatment options (e.g., risk acceptance, risk mitigation, risk avoidance, and risk transfer), so you can have a holistic view of applied treatments, and define specific sets of potential implementation solutions since what is applicable for information security may not be applicable to quality.

By following this approach, you can ensure all risks can be related, improving risk management effectiveness, decrease the effort and need for reassessments, improving risk management efficiency, and keep the independent goals of each risk assessment/management.

These articles will provide you a further explanation about risk management:
- ISO 31000 and ISO 27001 – How are they related?
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification
- How to integrate COSO, COBIT, and ISO 27001 frameworks

This material will also help you regarding risk management:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand]
- Book ISO 27001 Risk Management in Plain English

0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 04, 2021

Feb 04, 2021