ISO 27001 Risk Management Policy Beginner’s Guide

The purpose of the ISO 27001 risk management policy is to set out what the company does for information security risk management. It is not how the company does it. How the company does it is covered in the ISO 27001 processes and process documents. Here we are setting out the ‘what’ and the organisations overall approach to key risk management concepts.

The scope of the ISO 27001 risk management policy is risk and risk management as applied to information security and the confidentiality, integrity and availability of company owned, processed, stored and transmitted information.

Information security management for the company is based on appropriate and adequate risk and risk management.

Risk can be defined as the threat or possibility that an action or event will adversely or beneficially affect an organisation’s ability to achieve its objectives.
Risk management can be defined as the systematic application of principles and approach, and a process by which the company identifies and assesses the risks attached to its activities and then plans and implements risk responses.

• Unauthorized access, use, or release of personally identifiable information or sensitive data.
• Noncompliance with technology laws, regulations, policies, or procedures.
• Lack of resiliency against cybersecurity threats.
We normally have a low risk appetite when it comes to the law, regulations or things that could cause harm.

A moderate risk appetite means that you will take reasonable steps to remove or a reduce a risk subject to factors such as the costs involved and the needs of the business. Moderate risk is about being proportionate and cost-effective and an example of a moderate risk appetite could be
• Alignment of enterprise information systems, data, and business practices.
• Ability to meet user demands and support a mobile workforce.
• Technology infrastructure and performance (e.g., stability, reliability, capability, capacity, and duplicative systems).
• Business resiliency planning and execution.

ISO 27001 risks are recorded in, and managed via, a risk register.

ISO 27001 risks are reported to the Management Review Team and Senior Leadership.
ISO 27001 risks are recorded, managed and tracked in the risk register.
The risk register is reviewed at the Management Review Team meeting.
Significant risks being risks identified as requiring the attention of senior management or risks with a score over 20 or risks classified as severe are reported to the senior management team and form part of the company enterprise risk management reporting.

An ISO 27001 risk review is an assessment of the current risks and the identification of new risks.
The organisation must complete at least an annual risk review and record the outcome in risk review meeting minutes.
In addition risks are regularly reviewed and monitored at the Management Review Team meeting to ensure:
• Risk action progress
• Risk action effectiveness
• Management of residual risk

You evaluate ISO 27001 risk based on the impact if the risk materialises and the likelihood of that event occurring. You define an ISO 27001 risk impact score and definition and you define an ISO 278001 risk likelihood score and definition. These two scores are multiplied to create a risk score and the risk score creates your risk rating. Depending on the rating certain actions will be required.

Where a risk is to be mitigated
• A plan of action is approved by the relevant departmental manger and/or the Management Review Team and/or Senior Management.
• Responsibility for implementing and managing the plan is allocated.
• Risks are reported and reviewed at the Management Review Team meeting and recorded in the Risk Register.

The decision to accept risks is taken by the relevant departmental manager and or senior management.
The criteria for accepting risk is based on
• The risk is categorised as low and it is not cost effective to treat the risk.
• A business or commercial opportunity exists that outweighs the threat and impact.
• A risk treatment does not exist
• The impact of the risk occurring is acceptable to the company

An ISO 27001 risk management policy can be found here: https://hightable.io/product/risk-management-policy-template/

You first decide the risk appetite of the business. Then you write a risk management policy. Next you create a risk register. With these tools in place conduct your first risk identification meeting and identify your business risks. Write them down in the risk register. Share them with senior management. Manage the risks through the risk management process.

A risk management policy is a document that describes what you do in relation to risk management. It includes your risk appetite which is a measure of how willing you are to to business risk and what measures you will take to address them.

An ISO 27001 risk management plan lets everyone in the business know the approach to risks and how they are managed. It sets out a standard approach and allows for the identification, quantification and management of business risk.

A trusted risk management plan example can be found at this link: https://hightable.io/product/risk-management-policy-template/

The evaluation of ISO 27001 risk impact is considered based on the impact to
• Compliance and the Law
• Reputation
• Customers
• Business Goals and Objectives
• Financial Performance