I am looking into ISO 31001 for enterprise risk management, but we are already working on ISO 27001. Is the risk assessment methodology in 31001 too broad for the technical risks required in 27001? How do I align the two so I’m not doing double the work when identifying threats to our data assets versus general business risks?
3 answers
ISO 31001 provides the high-level framework and "philosophy" of risk, while ISO 27001 (specifically using the 27005 guidance) provides the granular details for information security. The best approach is to use the 31001 scoring system (Likelihood vs. Impact) across the entire company to ensure consistency. Then, your Information Security Management System (ISMS) becomes a "subset" of your enterprise risk register. This allows the Board of Directors to see cyber risks alongside financial and operational risks in the same language, which helps immensely when asking for a budget for security controls.
Are you planning to use a qualitative (High/Medium/Low) or quantitative (Monetary value) approach for your risk scoring? Switching between the two can cause major headaches when trying to roll up reports for management.
You should define your "Risk Appetite" at the organizational level first. That makes the decision-making process for specific security controls much more objective and defensible.
Spot on, Lisa. Setting that appetite early prevents over-engineering security controls for risks that the company is actually willing to accept.
Brian, we are using a qualitative 5x5 matrix. Is it possible to justify a "High" technical risk in ISO 27001 if the overall business impact in the ISO 31001 framework is only "Medium"? How do we reconcile those differences in importance?