Expert Advice Community

Risk owner problem

  Quote
Kamil Created:   Jul 22, 2021 Last commented:   Jul 23, 2021

Risk owner problem

Hello,

With reference to the risk assessment methodology (risk assessment for ISO 22301 purposes). Who is the owner of the risk if the company to be analyzed uses IT solutions provided by a related company in the capital group?

Example:
Company X (it is subject to risk analysis in connection with ISO22301) uses an accounting program. Company Y (an IT company from a capital group) provides the program. Will the asset owner, for example, be the IT Director of company Y, and the Accounting Director of company X the owner of the risk? Who should assess the risk for company X in this case? I think he's an employee of Company X, but I'd like to make sure.

 

Best regards,

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 23, 2021

Your assumptions are correct.

The best is for the risk owner to be the role more interested in treat the risk and with enough authority to do something about it, in this case, the Accounting Director of company X. As for the person to perform risk assessment, you should consider the person with the most knowledge about the accounting program and related processes (in general this person is known as the key user).

This article will provide you a further explanation about risk owners:

Quote
0 1
Kamil Jul 23, 2021

Thank you!

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 22, 2021

Jul 23, 2021

Suggested Topics

Guest user Created:   May 05, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment treatment

Guest user Created:   Jan 27, 2020 ISO 27001 & 22301
Replies: 1
0 0

Asset Inventory

Guest user Created:   Nov 14, 2019 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment