Risk Management Policy Guide

ISO 27001 Risk Management Policy Guide

A risk management policy sets out how we manage risk and our risk appetite. We use a risk register as a tool to manage and report on risk.

Risk Management

I like a risk based management approach. It is a sensible approach to information security. It is a grown up approach. It allows the business to decide what controls to put in place and to what level.

Risk is all about the uncertainty that surrounds future events and the outcomes. We cannot plan for everything but we can have a policy and approach about how we deal with it.

Stuart Barker - Director at High Table 2

What is Risk Management?

Risk management is about setting the best course of action to take for those elements of uncertainty.

Those known knowns, unknown unknowns, and known unknowns.

Not everything needs to be prevented but risk management wants you to acknowledge the risk and have taken a positive action to address it.

You could choose to accept the risk and do nothing, or to try to reduce the risk or to remove the risk entirely.

Risk management is about indemnifying and then making appropriate business decisions as to what to do about those risks.

What is the Risk Management Process?

In our approach to that uncertain future we are going to want to identify risk. To the best of our ability.

Then we are going assess that risk for what it means to us and what it could do to us.

Once we understand the risk we are going to act on it.

Doing nothing is an acceptable answer.

This is accepting risk.

We all accept a certain level of risk every day in our personal lives.

This is no different in business.

Some risks we are going to control and manage.

Where we have the resources to do so proportionate to the risk before us.

The Risk Management Policy

A tool in our business arsenal is to have an ISO 27001 risk management policy.

An ISO 27001 risk management policy will set out what we do for risk management and our level of risk appetite.

It gets everyone on the same page and gives us a standard approach to risk.

It is straightforward to write and in the FAQ below we share how but to fast track that this is a trusted risk management policy template that we have been using and refining over the last 20 years as part of our ISO 27001 Templates Toolkit.

Risk Management Policy Advert

Risk Management Policy Template

The risk management policy is a simple, yet effective, policy on the full management and life cycle of risk.

What are the contents of a risk management policy?

This is the layout and content headers you want to include in your policy if you write it yourself.

Document Version Control
Document Contents Page
Risk Management Policy
What is risk Management
Risk Appetite
Low Risk Appetite
Moderate Risk Appetite
Risk Identification and Assessment
Risk Register
Risk Reporting
Risk Review
Risk Treatment
Risk Acceptance
Risk Mitigation
Risk Evaluation
Policy Compliance
Compliance Measurement
Continual Improvement

ISO 27001 Risk Management Policy

ISO 27001 is a risk based management system rather than a rule base management system so the identification and appropriate management of risk is fundamental and key. Some risks are acceptable to a business and so not all controls may be required and not all risks need to be fully treated. In a rule based system you either have the control or you don’t, you pass or you fail. ISO 27001 takes a more grown up approach putting the company in control.

In the risk management policy we look at the risk appetite of the business. We cover the identification of risk, how risks are assessed and evaluated, how risks are recorded and the risk register and the treatment of risks. Risk reporting is also covered. It forms part of the mandatory ISO 27001 documents.

Risk Management Policy FAQ

What is the purpose of the risk management policy?

The purpose of this policy is to set out the risk management policy for the company for information security.

What is the scope of the risk management policy?

Risk and risk management as applied to information security and the confidentiality, integrity and availability of company owned, processed, stored and transmitted information.

What is the risk management principle?

Information security management for the company is based on appropriate and adequate risk and risk management.

What is risk management?

Risk can be defined as the threat or possibility that an action or event will adversely or beneficially affect an organisation’s ability to achieve its objectives.
Risk management can be defined as the systematic application of principles and approach, and a process by which the company identifies and assesses the risks attached to its activities and then plans and implements risk responses.

What is a low risk appetite example?

The company has a low risk appetite to the following which means that risks will not be accepted and that will have resources allocated to mitigate risk in a proportionate and cost-effective manner:
• Unauthorized access, use, or release of personally identifiable information or sensitive data.
• Noncompliance with technology laws, regulations, policies, or procedures.
• Lack of resiliency against cybersecurity threats.

What is a moderate risk appetite example?

Moderate Risk Appetite
The following will most likely have resources allocated to mitigate risk in a proportionate and cost-effective manner:
• Alignment of enterprise information systems, data, and business practices.
• Ability to meet user demands and support a mobile workforce.
• Technology infrastructure and performance (e.g., stability, reliability, capability, capacity, and duplicative systems).
• Business resiliency planning and execution.

How are risks recorded and managed?

In a risk register.

Who are risks reported to?

The risk register is reviewed at the Management Review Team meeting.
Risks are reported to the Management Review Team.
Significant risks being risks identified as requiring the attention of senior management or risks with a score over 20 or risks classified as severe are reported to the senior management team and form part of the company enterprise risk management reporting.

What is a risk review?

Risks are regularly reviewed and monitored at the Management Review Team meeting to ensure:
• Risk action progress
• Risk action effectiveness
• Management of residual risk

How do you evaluate risk?

The evaluation of risk impact is considered on impact to
• Compliance and the Law
• Reputation
• Customers
• Business Goals and Objectives
• Financial Performance

What is the process for risk mitigation?

Where a risk is to be mitigated
• A plan of action is approved by the relevant departmental manger and/or the Management Review Team and/or Senior Management.
• Responsibility for implementing and managing the plan is allocated.
• Risks are reported and reviewed at the Management Review Team meeting and recorded in the Risk Register.

What is the process and criteria for risk acceptance?

The decision to accept risks is taken by the relevant departmental manager and or senior management.
The criteria for accepting risk is based on
• The risk is categorised as low and it is not cost effective to treat the risk.
• A business or commercial opportunity exists that outweighs the threat and impact.
• A risk treatment does not exist
• The impact of the risk occurring is acceptable to the company

Where can I get a risk management policy?

A risk management policy can be found here: https://hightable.io/product/risk-management-policy-template/

How to write a risk management plan?

You first decide the risk appetite of the business. Then you write a risk management policy. Next you create a risk register. With these tools in place conduct your first risk identification meeting and identify your business risks. Write them down in the risk register. Share them with senior management. Manage the risks through the risk management process.

What is a risk management policy?

A risk management policy is a document that describes what you do in relation to risk management. It includes your risk appetite which is a measure of how willing you are to to business risk and what measures you will take to address them.

Why is a risk management plan important?

A risk management plan lets everyone in the business know the approach to risks and how they are managed. It sets out a standard approach and allows for the identification, quantification and management of business risk.

What is risk management plan example?

A trusted risk management plan example can be found at this link: https://hightable.io/product/risk-management-policy-template/

ISO 27001 Certification

ISO 27001 Templates Toolkit: Business Edition

ISO 27001 Policy Templates: Professional Edition

Shopping Cart