The ISO 27001 risk management policy sets the management of risk within the company.
ISO 27001 is a risk based management system rather than a rule base management system so the identification and appropriate management of risk is fundamental and key. Some risks are acceptable to a business and so not all controls may be required and not all risks need to be fully treated. In a rule based system you either have the control or you don’t, you pass or you fail. ISO 27001 takes a more grown up approach putting the company in control.
In the risk management policy we look at the risk appetite of the business. We cover the identification of risk, how risks are assessed and evaluated, how risks are recorded and the risk register and the treatment of risks. Risk reporting is also covered.
Document Version Control
Document Contents Page
Risk Management Policy
What is risk Management
Low Risk Appetite
Moderate Risk Appetite
Risk Identification and Assessment