Font size: +
5 minutes reading time (1036 words)

ISO27001 and the Actions to Address Risk & Opportunities

Like many of the latest ISO standards ISO27001 for Information Security Management Systems takes a risk-based approach to things. That makes sense, since it is hard to make something secure, if you do not understand the risks.

Clause 6.1 of the standard – Actions to address risk and opportunities is where this risk-based thinking really kicks into the next gear. Then again, the standard highlights the need to apply risk management processes right on page 1 of the standard so really it should not come as a shock to you.

Why understand risks & opportunities

Risks and opportunities are two sides of the same coin, you cannot have one without the other. If you fail to think about the opportunities that may come along (and hence fail to plan for them) then they become risks to your organisation and your ability to effectively realise them. By understanding both you set the organisation up to have a fuller view of the whole picture and can make the right plans, implement the right processes and systems to help when these risks or opportunities eventuate.

The Information security management standard tries to reinforce that thinking in clause 6.1.1 where it asks you to ensure that the system can achieve it's intended outcomes, that it can prevent or reduce undesired effects and can achieve continual improvement. It stresses that the organisation shall plan (remember that's ISO speak for you must do it) actions to address the risks and opportunities, integrate those actions into your system then evaluate the e3ffectiveness of them. That sounds tricky right? Not really, there is another ISO standard out there to help with this, ISO31000 – Risk management guidelines which is available at your local standards online store, following this ticks off the requirement of clause 6.1.2 and 6.1.3 as well.

How to Assess your ISO27001 Risks & Opportunities

The Risk Management standard gives a great framework that you should follow, the scheme opposite is figure 4 of the ISO31000 standard and it is everything in one single image you need to know.

Step 1 – Define the Scope, context and criteria of your risks and opportunities, e.g. does it cover your entire organisation, some of it, the suppliers, and customers as well? Defining your risk criteria is important and will be impacted by how risk averse your organisation is.

Step 2 – conduct the Risk Assessment, this is made up of 3 parts

  1. Risk identification – so actually describe the risk or opportunity
  2. Risk Analysis – here you need to understand the implications of the risk or opportunity on your organisation, how likely is it to happy, if it does happen how big an impact will it have? Is it time based, does sensitivity of information or market confidence have an impact and so forth. From these you should be able to score or rank your risks and opportunities
  3. Risk Evaluation – here you are really looking at the results you have obtained from the risk analysis and deciding if you actually have to do anything about it, sometimes the answer is actually do nothing (but not often!)

Step 3 – Risk Treatment – this is about selecting the options you have for addressing the risk or opportunity and it will be a bit of an interactive process, you will come up with a treatment, figure out how to implement that treatment, assess if it works and what the new level of risk is and of course is that acceptable. Something that is incredibly useful here is Annex A of ISO27001 because that gives you a list of treatments (controls) that you can use. Of course, you may have to refine them for your organisation and put them into language that your organisation uses but they are all there for you already so don't redo the work!

As the diagram suggest you need to think about communication and consultation at each step of the process and it really does help if you include others in the origination or who would be affected parties / stakeholders to your Information Security Management system.

Keep a formal Register and review it!

It is important to keep a formal register of all the work that you have done in understanding the risks and opportunities. Once you have the register then you really want to also ensure that it is reviewed on a regular basis because let's face it things change. New risks and opportunities pop up, people change, the market changes and as a result so may your risks and opportunities. Think of this as another PDCA (plan Do Check Act / Adjust) cycle in your organisation.

The decision on how frequently to review these items is up to the organisation, it could be 6 monthly or 2 yearly, the standard itself does not specify it but we would typically suggest a yearly review of these.

Keep it simple and accessible

The last thing to remember about addressing risks and opportunities in your ISO27001 ISMS is that you should keep it as simple and accessible as possible. Simple things get used, the more complex, the more hurdles someone must jump to register a new risk or opportunity for the ISMS the less likely it will be to happen. When that starts to occur, your system has broken down. Conduct regular catch ups with those using the system to make sure they can raise new areas of concern or review what is in the system, keep the communication going even after it is in place which keeps information security management front of mind for the whole organisation.

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better
Virtual Quality Management Logo
Our Virtual Quality Management Support is designed to help your company achieve improved results plus meet the requirements of any ISO Standard, but at a fraction of the cost.

When it comes to creating your risk registers for ISO27001, capturing incidents and ensuring that you follow through on everything you need to in order to meet the standard having a tool that makes it easy is a must.

Mango QHSE is a cloud based QHSE system that is fully integrated to manage all of your compliance requirements in one, easy to use system.


© Many Caps Consulting Ltd | All Rights Reserved

ISO27001 & The Roles, Responsibilities and Authori...

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 26 October 2020

Captcha Image

By accepting you will be accessing a service provided by a third-party external to