Risk Management is one of the key elements required by the ISO27001 certification. ISO27001 requires organisations to document the risks and mitigation’s faced by the organisation.
It can help you with meeting control requirements and indicates that you have an awareness of the risks faced by the organisation. But its not easy to know where to start if you haven’t looked at risk in a formal way before.
The key thing to remember is that we manage risk every day. Each time we get in a car or cross the road, we are managing the risks associated with that activity. Business risk is the same thing. You look at the risks which stop you achieving your business goals, in this case ISO27001 certification.
ISO27001 suggests using either an asset based or scenario based assessment process. We have found that clients not used to looking at risk find it easier to use the scenario based assessment as it means you visualise an event which stops you achieving the objective. For example, a risk could be “hackers infiltrate company systems and access client information”.
For each risk you identify, you will need to score it, note the mitigation in place, decide whether the risk needs further attention and if so what that action should be, what the revised risk score is.