By Catherine Thornley @ ITG
Risk management in information security management and how ISO/IEC 27005 can help you tackle it effectively.
Risk is arguably one of the most commonly used words in business, but what does it actually mean?
There are many English dictionary definitions, many centred around “a situation involving exposure to danger” and whilst some people talk about up-side, or positive risk, it is generally accepted that in business, risk is all about the chance that something will go wrong, and how badly.
But of course there is uncertainty in everything we do; and therefore risk. Sometimes there is uncertainty about whether something good will happen, but that just means that there is also a chance that it won’t; which is bad.
Risk and corporate governance
The big thing about risk in business today is corporate governance. People responsible for running companies are simply not allowed, when something goes wrong, to say “we didn’t think of that”, or “its never happened before”. Those are two quite common responses both when something has gone wrong and also when it hasn’t; when senior managers are asked to do something about risk management.
For many, when they do finally look at risk, thinking switches immediately from chance to result. The likely impact of a risk dominates thinking where previously it was the probability of a threat materialising that was the dominant factor.
Many organisations assess risk intuitively; that is to say they simply decide whether an activity, or situation, is very risky, not very risky, or somewhere in between.
This intuitive approach can be applied to information security risk – but it can be very difficult to evaluate risk effectively in this area. The challenge is two-fold; understanding what information security actually is and knowing how to assess and respond to the related risks in a logical way, that will stand scrutiny should the worst happen.
Information security managers, and those doing the job as part of a broader role, often need some help in identifying the most effective way to manage this specific set of risks, which is where ISO 27005 can help.
How ISO 27005 can help
Where ISO 27001 presents a broad blueprint for dealing with information security, ISO 27005 takes it much further and delivers the detail of information security risk assessment, in a way that the results integrate easily into an ISO 27001 compliant information security management system (ISMS).