Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo
"Quality Matters in your Business"

Monday, 31 March 2014

ISO 27001:2013 Transition Stage 3

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain.

This is the third part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.

The RISK ASSESSMENT PROCESS identifies the risk to the organisation and prioritises the risk as a High. Medium or Low risk; once these have been determined then it is necessary to transfer the high and medium risks into a risk treatment plan, but more of that later.
The first step is to identify which assets are to be included in the risk assessment process; these are normally entered into an asset register.

Some examples of these assets will be:
  • Accounts
  • computer back-up systems
  • internal computer operating and package systems
  • desktops, laptops and servers,  
  • active directory, 
  • data links, 
  • VPN
  • Other remote connections, telephony and voice recording, human resources, buildings, utilities and emergency power systems, 
  • Secure storage of documents and records.  

This list is not exhaustive and will need to be tailored to individual organisations.

The next step is to decide on the value to the organisation; this is not necessarily the monetary value to the organisation but the value in terms of information security.  You could use any scale but for ease we tend to use low medium and high value (1, 2 or 3)

Now score each asset against the three main elements of 27001, C.I A. Confidentiality, Integrity and Availability, again using the low , medium or high method.  The scores are entered into a matrix.

Every medium or high risk is transferred to the risk treatment plan mentioned before.  The idea is to mitigate the risk.  Inevitably there will be some medium risks that will have to be accepted as acceptable, it is most unlikely that any risk in the high level would be acceptable.  The medium risks that are accepted by the management of the organisation should fall into four categories:

  • Applying appropriate controls to reduce the risk
  • Knowingly and objectively accepting risks, providing they clearly satisfy the organisation policy and criteria for risk acceptance
  • Avoiding risks by not allowing actions that would cause the risk to occur
  • Transferring the associated risks to other parties. e.g. insurers or suppliers

There are other methods that can be used for risk assessment and these are equally valid.  We feel that it is important to have a risk assessment process that is effective but easy to administer and our method meets these criteria.

Stage four of this series will look at the documentation needed for this revised Standard.

No comments:

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design