Is your Quality, Health & Safety or Environmental Compliance system working for you? How much time are you wasting trying to chase people to get things done, trying to remember to follow up on tasks, getting your Audits up to date, controlling documentation, dealing with customer complaints and capturing your Health & Safety Risks or incidents?
Let MANGO help you with a simpler way that makes the system not only work for you but, gets everyone involved in the system simply so you never have to remember again.
Please complete all required fields!
Like many of the latest ISO standards ISO27001 for Information Security Management Systems takes a risk-based approach to things. That makes sense, since it is hard to make something secure, if you do not understand the risks.
Clause 6.1 of the standard – Actions to address risk and opportunities is where this risk-based thinking really kicks into the next gear. Then again, the standard highlights the need to apply risk management processes right on page 1 of the standard so really it should not come as a shock to you.
Risks and opportunities are two sides of the same coin, you cannot have one without the other. If you fail to think about the opportunities that may come along (and hence fail to plan for them) then they become risks to your organisation and your ability to effectively realise them. By understanding both you set the organisation up to have a fuller view of the whole picture and can make the right plans, implement the right processes and systems to help when these risks or opportunities eventuate.
The Information security management standard tries to reinforce that thinking in clause 6.1.1 where it asks you to ensure that the system can achieve it's intended outcomes, that it can prevent or reduce undesired effects and can achieve continual improvement. It stresses that the organisation shall plan (remember that's ISO speak for you must do it) actions to address the risks and opportunities, integrate those actions into your system then evaluate the e3ffectiveness of them. That sounds tricky right? Not really, there is another ISO standard out there to help with this, ISO31000 – Risk management guidelines which is available at your local standards online store, following this ticks off the requirement of clause 6.1.2 and 6.1.3 as well.
The Risk Management standard gives a great framework that you should follow, the scheme opposite is figure 4 of the ISO31000 standard and it is everything in one single image you need to know.
Step 2 – conduct the Risk Assessment, this is made up of 3 parts
Step 3 – Risk Treatment – this is about selecting the options you have for addressing the risk or opportunity and it will be a bit of an interactive process, you will come up with a treatment, figure out how to implement that treatment, assess if it works and what the new level of risk is and of course is that acceptable. Something that is incredibly useful here is Annex A of ISO27001 because that gives you a list of treatments (controls) that you can use. Of course, you may have to refine them for your organisation and put them into language that your organisation uses but they are all there for you already so don't redo the work!
As the diagram suggest you need to think about communication and consultation at each step of the process and it really does help if you include others in the origination or who would be affected parties / stakeholders to your Information Security Management system.
It is important to keep a formal register of all the work that you have done in understanding the risks and opportunities. Once you have the register then you really want to also ensure that it is reviewed on a regular basis because let's face it things change. New risks and opportunities pop up, people change, the market changes and as a result so may your risks and opportunities. Think of this as another PDCA (plan Do Check Act / Adjust) cycle in your organisation.
The decision on how frequently to review these items is up to the organisation, it could be 6 monthly or 2 yearly, the standard itself does not specify it but we would typically suggest a yearly review of these.
The last thing to remember about addressing risks and opportunities in your ISO27001 ISMS is that you should keep it as simple and accessible as possible. Simple things get used, the more complex, the more hurdles someone must jump to register a new risk or opportunity for the ISMS the less likely it will be to happen. When that starts to occur, your system has broken down. Conduct regular catch ups with those using the system to make sure they can raise new areas of concern or review what is in the system, keep the communication going even after it is in place which keeps information security management front of mind for the whole organisation.
When it comes to creating your risk registers for ISO27001, capturing incidents and ensuring that you follow through on everything you need to in order to meet the standard having a tool that makes it easy is a must.
Mango QHSE is a cloud based QHSE system that is fully integrated to manage all of your compliance requirements in one, easy to use system.
© Many Caps Consulting Ltd | All Rights Reserved
By accepting you will be accessing a service provided by a third-party external to https://www.manycaps.com/