Jun 25 2013

Risk management – ISO 27005 could be the cure

Category: ISO 27k,Risk AssessmentDISC @ 9:30 am

English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)


By Catherine Thornley @ ITG

Risk management in information security management and how ISO/IEC 27005 can help you tackle it effectively.

Risk is arguably one of the most commonly used words in business, but what does it actually mean?

There are many English dictionary definitions, many centered around “a situation involving exposure to danger” and whilst some people talk about up-side or positive risk, it is generally accepted that in business, the risk is all about the chance that something will go wrong, and how badly.

But of course there is uncertainty in everything we do; and therefore risk. Sometimes there is uncertainty about whether something good will happen, but that just means that there is also a chance that it won’t; which is bad.

Risk and corporate governance

The big thing about risk in business today is corporate governance. People responsible for running companies are simply not allowed, when something goes wrong, to say “we didn’t think of that”, or “it never happened before”. Those are two quite common responses both when something has gone wrong and also when it hasn’t; when senior managers are asked to do something about risk management.

For many, when they do finally look at risk, thinking switches immediately from chance to result. The likely impact of a risk dominates thinking where previously it was the probability of a threat materialising that was the dominant factor.

Many organisations assess risk intuitively; that is to say they simply decide whether an activity, or situation, is very risky, not very risky, or somewhere in between.

This intuitive approach can be applied to information security risk – but it can be very difficult to evaluate risk effectively in this area. The challenge is two-fold; understanding what information security actually is and knowing how to assess and respond to the related risks in a logical way, that will stand scrutiny should the worst happen.

Information security managers, and those doing the job as part of a broader role, often need some help in identifying the most effective way to manage this specific set of risks, which is where ISO 27005 can help.

How ISO 27005 can help

Where ISO 27001 presents a broad blueprint for dealing with information security, ISO 27005 takes it much further and delivers the detail of information security risk assessment, in a way that the results integrate easily into an ISO 27001 compliant information security management system (ISMS).

ISO 27005 provides a detailed and valuable insight into effective information security risk management. And since ISO 27001 calls for a risk based approach, there cannot be a better basis for it!

 5 reasons why vsRisk v1.6 is the definitive risk assessment tool

2 Responses to “Risk management – ISO 27005 could be the cure”

  1. Final Draft of New ISO 27001 Standards Now Available says:

    […] Risk management – ISO 27005 could be the cure […]

  2. vsRisk – The Cyber Security Risk Assessment Tool says:

    […] Risk management – ISO 27005 could be the cure […]

Leave a Reply

You must be logged in to post a comment. Login now.