Project Management

How do I handle Risk Assessment in ISO 31001 versus the specific requirements of ISO 27001?

AM Asked by Amanda Lewis · 20-02-2024
0 upvotes 12,140 views 0 comments
The question

I am looking into ISO 31001 for enterprise risk management, but we are already working on ISO 27001. Is the risk assessment methodology in 31001 too broad for the technical risks required in 27001? How do I align the two so I’m not doing double the work when identifying threats to our data assets versus general business risks?

3 answers

0
CY
Answered on 22-02-2024

ISO 31001 provides the high-level framework and "philosophy" of risk, while ISO 27001 (specifically using the 27005 guidance) provides the granular details for information security. The best approach is to use the 31001 scoring system (Likelihood vs. Impact) across the entire company to ensure consistency. Then, your Information Security Management System (ISMS) becomes a "subset" of your enterprise risk register. This allows the Board of Directors to see cyber risks alongside financial and operational risks in the same language, which helps immensely when asking for a budget for security controls. 

0
BR
Answered on 24-02-2024

Are you planning to use a qualitative (High/Medium/Low) or quantitative (Monetary value) approach for your risk scoring? Switching between the two can cause major headaches when trying to roll up reports for management. 

GE 26-02-2024

Brian, we are using a qualitative 5x5 matrix. Is it possible to justify a "High" technical risk in ISO 27001 if the overall business impact in the ISO 31001 framework is only "Medium"? How do we reconcile those differences in importance?

0
LI
Answered on 27-02-2024

You should define your "Risk Appetite" at the organizational level first. That makes the decision-making process for specific security controls much more objective and defensible. 

AM 28-02-2024

Spot on, Lisa. Setting that appetite early prevents over-engineering security controls for risks that the company is actually willing to accept.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session