ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Top management ownership of risks - I have adopted an approach with has strategic and operational risks. I believe that strategic risks should be high level and low in number - and example of strategic risk would be systemic failure of ISMS, or information breach due to malware. At a detailed / operational level, there are many risks, such as windows 2003 server reaching end of support, but I wouldn't expect that to be owned by top management.
What are your thoughts re this please?
Answer:
I think that your approach (strategic and operational risks) is correct, according to ISO 27000:2014, the risk owner is person or entity with accountability and authority to manage a risk.
For more information about this, please read this article Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Comment as guest or Sign in
Jan 12, 2016