Do you seek ISO 27001 compliance? Thomas has blogged about starting points for ISO 27001 certification project. This blog unwraps the importance of risk management in pursuit of ISO 27001 certification.
Achieving compliance with ISO 27001 requirements for risk management
A major component of meeting ISO 27001 Information Security Management System (ISMS) requirements is security risk management. Within the standard itself, risk management is not reflected at all in the controls (ISO 27001 Annex A and ISO 27002) — the risk management requirements are built into the management of the ISMS process in the main standard and then linked to the security controls. Risk management is defined in the Planning and Operation sections of the standard, and risk-based documentation and communication are required in the sections related to monitoring and reporting. The 27000 family of standards includes ISO 27005, which describes the target state of risk management and provides guidance on how to meet the requirements of ISO27001 for risk management.
When seeking ISO 27001 certification, it is important to remember to read the main standard itself and not just the list of controls — despite the fact that many available tools approach the certification project with the controls as an integral starting point.
When an organization implements risk management processes, IT risk management often encompasses workstation management and other work-related equipment, such as self-managed servers. ISO27001 includes applications, business support systems and processes as assets, as well as data within the ISMS scope.
How should risk management be approached?
It is not feasible to reinvent the wheel in an IT or security organization, but rather use the existing model where possible and supplement it where necessary. In the absence of a formal risk management model, it is useful to design a model that supports the operational risk management of the entire organization, and to involve people responsible for business risks in the planning. If there are ongoing development activities according to the ISO 9001 quality certificate, it is useful to check these requirements against the ISO 27001 — thus mashing two potatoes with one fork. ISO 9001 compliant risk management does not fully meet the requirements of information security risk management — thus risk management cannot be completely ignored in the ISO 27001 project based on work done already with ISO 9001. However, the ISO 9001 risk management process supports the security risk management process; and with a minimal update, ISO 27001 compliant model is often easily achieved.
In any case, a successful ISO 27001 certification project links updated and regularly reported risk management practices as a seamless component of the ISMS process. In a successful process, the risks are related to the defined ISO 27001 scope and to the assets on a business oriented basis.
Do we need consultants?
When it comes to formulating the risk management practices, consultants have loads of expertise and versatile experience to create the entire process. Use of consultants is not mandatory — an organization can work things out by themselves. Consultants can be used to review the existing risk management process against ISO 27001 or to create a new risk management process according to ISO 27001 for eg. following reasons:
- An external and neutral view of the entirety
- Experience of “is it worth doing this or that”
- Activities are immediately organized
- There is simply no time
- Ready-made views and blanks fried in good butter for processing
Defining and assessing risks always requires a team of participants who understand the business and the way the company operates. The consultant can be used as a facilitator or a documenter in risk assessments, for example in:
- Design of risk assessment practices as a whole
- Facilitation of risk mapping (workshopping)
- Risk documentation based on workshops
- Targeting of ISO 27001 properties and assets to risks