Risk Identification Process – Burning Challenges

Risk identification is one of the most important factor which decides the fate of Risk Manageme an Enterprise or organization. Some of the key challenges involved are:

1. Broad Statement Risk

Some enterprise identify the risks which are too broad in nature. Example includes

·         Risk to Brand reputation

·         Compliance risk (including statutory & regulatory requirements)

·         Fraud Risk (Internal/external fraud)

It becomes very difficult to manage these risks even at strategic level

2. Causes as Risk

Many enterprise identify the risks that are actually causes and it’s very difficult to manage these risks. The statements that indicates causes as risk includes

·         Lack of (trained staffs, funds, Information security Awareness etc…)

·         Ineffective (Internal Audit, Policy Implementation etc…)

·         Inadequate (Training, Procedures etc…)

·         Poor (Project Management, Asset Management etc…)

3. Consequences as Risk

Many organization commits the mistake of identifying effect/consequences as risk. Thus reducing the effectiveness of Enterprise Risk Management process. Examples include

·         Budget overspend

·         Project missing the planned deadline

Risk Management Process – Birds Eye view

Changes to ISO 27001: What's new in the 2013 ISO 27001 update?

ISO 27001:2013 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee. It is a specification for an information security management system (ISMS).

The recent standard ISO 27001:2013 replaced the ISO 27001:2005 standard. Mentioned below are the significant changes:

Section 4: Context of the Organization

·         More importance has been laid on the Internal and external factors which affect the organization’s ability to achieve security objectives

Section 5: leadership

·         Enhanced rigorous expectation from management

·         Top Management needs to ensure integration of ISMS requirements into the organization’s processes for various functions

Section 8: Operations

               

·         Risk assessment simplified and aligned to ISO 31000

·         Risk can now be determined based on process ,technology etc. without mapping them with assets, threats and vulnerabilities

General Changes

·         More emphasis on measuring and evaluating  how good organisations ISMS is performing

·         Preventive action is now part of PLAN phase and integrated with IS risk assessment

·         Controls in Annex A have been modified to reflect the changing threat scenarios, duplications removed and are better grouped

·         Separate section for cryptography

·         More emphasis on outsourcing. Thus a new section on Supplier relationship

  Annex A – New Controls

A.6.1.5 Information security in project management

A.12.6.2 Restrictions on software installation

A.14.2.1 Secure development policy

A.14.2.5 Secure system engineering principles

A.14.2.6 Secure development environment

A.14.2.8 System security testing

A.15.1.1 Information security policy for supplier relationships

A.15.1.3 Information and communication technology supply chain

A.16.1.4 Assessment of and decision on information security events

A.16.1.5 Response to information security incidents

A.17.2.1 Availability of information processing facilities

ISO 27001:2013 – Birds Eye View

Image Courtesy: www.bsigroup.com