Risk Management and ISMS
1. What is the best way to do risk management?
2. How do I raise awareness for information security?
3. How to setup an ISMS which is used with excitement? How do I get colleagues all across the organisation to not only understand the necessity, but also the advantages of an ISMS for their daily work?
Assign topic to the user
1. What is the best way to do risk management?
Regardless of the methodology used (ISO 27001 does not prescribe a methodology to be used, only requirements to be fulfilled, so organizations are free to use the approach that better suits their needs), the best way to do risk management is by involving the people which works directly with the processes and information to be protected, because they are the best source of information to help identify and analyze the risks, and also during daily operations they can provide a faster response in case of new risks arise or incidents occur.
This article will provide you a further explanation about risk management:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk management:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
2. How do I raise awareness for information security?
Common approaches for information security awareness are training sessions, the use of newsletters, the use of video tutorials, and meetings between management and staff, which should be performed on a regular basis.
Regarding content, please note that you will have different publics with different interests:
- top management needs to make decisions over issues that many times are not so clear for them, and they do not need deep knowledge about technicalities of security issues (they will be more concerned about how it impacts the business). In these cases, your awareness should be focused on the decisions they need to make.
- technical personnel with operational responsibilities for security needs deep knowledge over technologies, methodologies, and processes, so your awareness should be focused on the procedures and rules they need to follow
- overall personnel needs a basic understanding of security, to properly identify, report, and react to risky situations. In these cases, your awareness should be focused on examples and how to proceed according to the policies and procedures
These articles will provide you a further explanation about awareness:
- What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
These materials will also help you regarding awareness:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.
3. How to setup an ISMS which is used with excitement? How do I get colleagues all across the organisation to not only understand the necessity, but also the advantages of an ISMS for their daily work?
The most effective ways to set up an ISMS to get the engagement of people are:
- aligning the ISMS objectives to the objectives people have to achieve in their daily business, so they can perceive the new standard can benefit them, help them achieve their business results
- taking employees opinion into account on ISMS related decisions
- being transparent with employees about what the ISMS are going to do and why
- using the ISMS to help them to resolve conflicts of interest with other areas, searching for mutually beneficial solutions
For further information, see:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
Comment as guest or Sign in
Mar 15, 2021