Expert Advice Community

Guest

Risk Management and ISMS

  Quote
Guest
Guest user Created:   Mar 15, 2021 Last commented:   Mar 15, 2021

Risk Management and ISMS

1. What is the best way to do risk management?

2. How do I raise awareness for information security?

3. How to setup an ISMS which is used with excitement? How do I get colleagues all across the organisation to not only understand the necessity, but also the advantages of an ISMS for their daily work?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 15, 2021

1. What is the best way to do risk management?

Regardless of the methodology used (ISO 27001 does not prescribe a methodology to be used, only requirements to be fulfilled, so organizations are free to use the approach that better suits their needs), the best way to do risk management is by involving the people which works directly with the processes and information to be protected, because they are the best source of information to help identify and analyze the risks, and also during daily operations they can provide a faster response in case of new risks arise or incidents occur.

This article will provide you a further explanation about risk management:

These materials will also help you regarding risk management:

2. How do I raise awareness for information security?

Common approaches for information security awareness are training sessions, the use of newsletters, the use of video tutorials, and meetings between management and staff, which should be performed on a regular basis.

Regarding content, please note that you will have different publics with different interests:

  • top management needs to make decisions over issues that many times are not so clear for them, and they do not need deep knowledge about technicalities of security issues (they will be more concerned about how it impacts the business). In these cases, your awareness should be focused on the decisions they need to make.
  • technical personnel with operational responsibilities for security needs deep knowledge over technologies, methodologies, and processes, so your awareness should be focused on the procedures and rules they need to follow
  • overall personnel needs a basic understanding of security, to properly identify, report, and react to risky situations. In these cases, your awareness should be focused on examples and how to proceed according to the policies and procedures

These articles will provide you a further explanation about awareness:

These materials will also help you regarding awareness:

3. How to setup an ISMS which is used with excitement? How do I get colleagues all across the organisation to not only understand the necessity, but also the advantages of an ISMS for their daily work?

The most effective ways to set up an ISMS to get the engagement of people are:

  • aligning the ISMS objectives to the objectives people have to achieve in their daily business, so they can perceive the new standard can benefit them, help them achieve their business results
  • taking employees opinion into account on ISMS related decisions
  • being transparent with employees about what the ISMS are going to do and why
  • using the ISMS to help them to resolve conflicts of interest with other areas, searching for mutually beneficial solutions

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 15, 2021

Mar 15, 2021