0:00:04.790,0:00:07.839
[Music]

0:00:07.839,0:00:10.639
What is information security risk?

0:00:10.639,0:00:12.719
Information security risk is simply a

0:00:12.719,0:00:14.639
combination of the impact that could

0:00:14.639,0:00:16.880
result from a threat compromising one of

0:00:16.880,0:00:19.600
your important information assets and

0:00:19.600,0:00:22.000
the likelihood of this happening.

0:00:22.000,0:00:25.519
Risk Management In ISO 27001

0:00:25.519,0:00:28.800
ISO 27001 requires that you implement a

0:00:28.800,0:00:31.279
management system to help you manage the

0:00:31.279,0:00:33.440
security of your important information

0:00:33.440,0:00:34.480
assets.

0:00:34.480,0:00:36.480
The backbone of this is formed from the

0:00:36.480,0:00:38.480
need to develop and implement an

0:00:38.480,0:00:40.960
appropriate and effective information

0:00:40.960,0:00:44.640
security risk management methodology.

0:00:44.640,0:00:48.079
ISO 27001 Risk Management

0:00:48.079,0:00:50.079
You should develop and implement a risk

0:00:50.079,0:00:52.000
management methodology which allows you

0:00:52.000,0:00:54.399
to identify your important information

0:00:54.399,0:00:57.120
assets and to determine why they need

0:00:57.120,0:00:58.640
protecting.

0:00:58.640,0:01:00.640
It is important to note here that when

0:01:00.640,0:01:03.199
information security is mentioned, people

0:01:03.199,0:01:04.920
immediately start thinking about

0:01:04.920,0:01:07.280
confidentiality aspects, but the

0:01:07.280,0:01:10.320
availability and integrity aspects also

0:01:10.320,0:01:12.640
need to be taken into consideration

0:01:12.640,0:01:14.799
as these are important components of

0:01:14.799,0:01:17.119
information security.

0:01:17.119,0:01:19.040
Once this has been achieved, your

0:01:19.040,0:01:21.360
methodology needs to be able to identify

0:01:21.360,0:01:23.920
the likelihood of something going wrong

0:01:23.920,0:01:26.080
and what can be done to mitigate this

0:01:26.080,0:01:27.040
risk.

0:01:27.040,0:01:29.840
In a nutshell, it enables you to quantify

0:01:29.840,0:01:31.920
the impact and the likelihood elements

0:01:31.920,0:01:34.640
of information security risk and then go

0:01:34.640,0:01:38.079
on to do something about it.

0:01:38.079,0:01:42.640
ISO 27001 Risk Management Framework

0:01:42.640,0:01:44.720
There are several discrete stages of an

0:01:44.720,0:01:48.720
ISO 27001 risk management methodology.

0:01:48.720,0:01:50.240
First of all, it is important to

0:01:50.240,0:01:52.159
understand the information security

0:01:52.159,0:01:54.720
context of your organization.

0:01:54.720,0:01:56.719
Once this has been achieved, you can

0:01:56.719,0:01:59.200
perform a risk assessment which includes

0:01:59.200,0:02:01.840
the need to identify your risks,

0:02:01.840,0:02:04.880
analyze them, and evaluate them.

0:02:04.880,0:02:06.880
You then need to determine a suitable

0:02:06.880,0:02:08.399
treatment for the risks you have

0:02:08.399,0:02:10.639
assessed and then implement that

0:02:10.639,0:02:11.840
treatment.

0:02:11.840,0:02:14.480
It is vitally important that you do not

0:02:14.480,0:02:17.040
see this as a one-off exercise.

0:02:17.040,0:02:18.879
Your risk management methodology should

0:02:18.879,0:02:21.040
be designed to be iterative.

0:02:21.040,0:02:23.200
This enables you to not only review the

0:02:23.200,0:02:25.280
status of risks you have previously

0:02:25.280,0:02:28.000
identified, taking into consideration any

0:02:28.000,0:02:30.879
potential changes in context, but it also

0:02:30.879,0:02:34.160
enables you to identify new risks.

0:02:34.160,0:02:36.160
The high level stages of a risk

0:02:36.160,0:02:38.239
management methodology, as described

0:02:38.239,0:02:40.160
above, should be thought of as a

0:02:40.160,0:02:42.640
framework that enables risk management

0:02:42.640,0:02:44.800
to be embedded within key processes

0:02:44.800,0:02:46.959
throughout your organization

0:02:46.959,0:02:49.040
so that any identified risks are

0:02:49.040,0:02:50.560
comparable.

0:02:50.560,0:02:54.480
ISO 27001 Risk Management Context

0:02:54.480,0:02:56.239
The first stage of your risk management

0:02:56.239,0:02:58.560
methodology needs to identify what is

0:02:58.560,0:03:00.720
important to you or your organization

0:03:00.720,0:03:02.640
from an information security point of

0:03:02.640,0:03:03.760
view.

0:03:03.760,0:03:06.959
ISO 27001 requires you to determine the

0:03:06.959,0:03:09.280
context of your organization.

0:03:09.280,0:03:10.959
Part of which means that you need to be

0:03:10.959,0:03:12.640
able to identify the information

0:03:12.640,0:03:15.200
security related issues that you face

0:03:15.200,0:03:17.680
along with who the internal and external

0:03:17.680,0:03:20.000
interested parties are and what their

0:03:20.000,0:03:22.560
needs and expectations are.

0:03:22.560,0:03:24.799
It is important to also understand what

0:03:24.799,0:03:27.440
your risk appetite is at this stage as

0:03:27.440,0:03:30.400
we will need this information later.

0:03:30.400,0:03:32.239
Once you have done this, you are able to

0:03:32.239,0:03:34.239
determine what is important about the

0:03:34.239,0:03:36.319
different information assets under your

0:03:36.319,0:03:37.680
control.

0:03:37.680,0:03:41.440
ISO 27001 Risk Management What Is Risk

0:03:41.440,0:03:43.519
Appetite?

0:03:43.519,0:03:45.920
Risk appetite is simply the amount and

0:03:45.920,0:03:48.239
type of risk you are willing to accept

0:03:48.239,0:03:49.519
or retain

0:03:49.519,0:03:51.760
in order to allow business operations to

0:03:51.760,0:03:53.120
proceed.

0:03:53.120,0:03:55.120
This is important because too much

0:03:55.120,0:03:57.280
security can sometimes compromise your

0:03:57.280,0:04:00.560
operational viability, whereas too little

0:04:00.560,0:04:02.239
will reduce the confidence of your

0:04:02.239,0:04:04.000
stakeholders.

0:04:04.000,0:04:06.080
Some types of organizations are willing

0:04:06.080,0:04:08.720
to accept more risk than others.

0:04:08.720,0:04:10.799
For example, a hedge fund manager is

0:04:10.799,0:04:12.879
likely to take more risk in order to

0:04:12.879,0:04:15.200
make greater profits over a short space

0:04:15.200,0:04:18.160
of time, whereas a pension fund manager

0:04:18.160,0:04:20.639
generally prefers a less risky, steady

0:04:20.639,0:04:22.960
growth approach.

0:04:22.960,0:04:26.880
ISO 27001 Risk Assessment Methodology

0:04:26.880,0:04:28.960
Risk Identification

0:04:28.960,0:04:31.199
Once you have determined the context, you

0:04:31.199,0:04:32.960
can go ahead and conduct a risk

0:04:32.960,0:04:34.160
assessment.

0:04:34.160,0:04:36.000
The first part of a risk assessment is

0:04:36.000,0:04:38.720
to identify the risks that you face.

0:04:38.720,0:04:40.479
This can be broken down into three

0:04:40.479,0:04:42.639
elements. The first element is to

0:04:42.639,0:04:45.360
identify your information assets. An

0:04:45.360,0:04:47.280
information asset is any information

0:04:47.280,0:04:49.120
that has value to you.

0:04:49.120,0:04:50.720
There are several different ways to

0:04:50.720,0:04:53.199
calculate the value of an asset but it

0:04:53.199,0:04:55.120
is important that you not only consider

0:04:55.120,0:04:56.800
the confidentiality needs of the

0:04:56.800,0:04:59.680
information, but also the integrity and

0:04:59.680,0:05:02.160
availability requirements.

0:05:02.160,0:05:03.600
The second element of risk

0:05:03.600,0:05:06.320
identification is threat analysis. You

0:05:06.320,0:05:08.160
need to have a process which enables you

0:05:08.160,0:05:10.400
to identify all of the threats which are

0:05:10.400,0:05:11.919
applicable to the assets you have

0:05:11.919,0:05:13.520
identified.

0:05:13.520,0:05:15.600
If a particular threat is applicable

0:05:15.600,0:05:17.680
then it is also a good idea to think

0:05:17.680,0:05:19.840
about how probable it is that the threat

0:05:19.840,0:05:21.520
will materialize.

0:05:21.520,0:05:23.600
For example, if you use Windows based

0:05:23.600,0:05:25.360
computer systems which are connected

0:05:25.360,0:05:27.840
somehow to the internet, the probability

0:05:27.840,0:05:30.000
of them being affected by a virus is

0:05:30.000,0:05:32.400
probably very high if you do nothing to

0:05:32.400,0:05:33.440
stop it.

0:05:33.440,0:05:35.280
Whereas if you are using an apple mac

0:05:35.280,0:05:37.520
which is never connected to the internet,

0:05:37.520,0:05:40.479
the probability is very low.

0:05:40.479,0:05:42.720
The third element of risk identification

0:05:42.720,0:05:44.400
is the need to determine if there are

0:05:44.400,0:05:46.160
any vulnerabilities that would allow a

0:05:46.160,0:05:48.320
threat that you have identified to cause

0:05:48.320,0:05:50.639
an impact on your asset.

0:05:50.639,0:05:52.479
To carry on with the example we have

0:05:52.479,0:05:54.960
just used, if you have an antivirus

0:05:54.960,0:05:57.520
system installed and running on your

0:05:57.520,0:06:00.240
Internet-connected windows computers, you

0:06:00.240,0:06:02.080
are less vulnerable to this particular

0:06:02.080,0:06:04.960
threat than if you didn't.

0:06:04.960,0:06:08.880
ISO 27001 Risk Assessment Methodology

0:06:08.880,0:06:11.039
Risk Analysis

0:06:11.039,0:06:13.120
One of the useful aspects of the output

0:06:13.120,0:06:15.440
from an effective risk assessment is the

0:06:15.440,0:06:18.560
ability to prioritize your risks. This is

0:06:18.560,0:06:20.639
important as you may not have sufficient

0:06:20.639,0:06:22.960
resources to fully mitigate every risk

0:06:22.960,0:06:24.800
that you identify.

0:06:24.800,0:06:26.479
This means that it is important to

0:06:26.479,0:06:28.800
somehow quantify your risks.

0:06:28.800,0:06:31.600
To do this, we need to know two things.

0:06:31.600,0:06:33.520
First, how much of an impact would be

0:06:33.520,0:06:36.319
felt if a compromise occurred? And second,

0:06:36.319,0:06:38.319
what is the likelihood of that threat

0:06:38.319,0:06:39.680
occurring?

0:06:39.680,0:06:42.000
One good idea is to use a set of scales

0:06:42.000,0:06:44.720
to record values in these areas.

0:06:44.720,0:06:47.520
For example, using a scale of one to five,

0:06:47.520,0:06:49.680
we could say how impactful it would be

0:06:49.680,0:06:51.840
if the confidentiality of an asset were

0:06:51.840,0:06:53.039
breached.

0:06:53.039,0:06:54.960
Clearly breaches of confidentiality

0:06:54.960,0:06:56.960
would cause a greater impact for some

0:06:56.960,0:07:00.400
assets, for example, hr records, than

0:07:00.400,0:07:03.520
others like the staff canteen menu.

0:07:03.520,0:07:05.680
A second one to five scale could be used

0:07:05.680,0:07:07.680
to determine the likelihood of a breach

0:07:07.680,0:07:09.759
occurring and we would take into

0:07:09.759,0:07:11.120
consideration the threat and

0:07:11.120,0:07:13.280
vulnerability information we spoke about

0:07:13.280,0:07:16.400
earlier in order to do this.

0:07:16.400,0:07:20.160
ISO 27001 Risk Assessment Methodology

0:07:20.160,0:07:22.160
Risk Evaluation

0:07:22.160,0:07:24.400
Risk evaluation is a relatively simple

0:07:24.400,0:07:26.720
process as it requires you to identify

0:07:26.720,0:07:28.400
whether or not the risk that you have

0:07:28.400,0:07:32.080
identified is above or below appetite.

0:07:32.080,0:07:34.000
To do this, the first thing we need to do

0:07:34.000,0:07:36.000
is calculate the value of the risk which

0:07:36.000,0:07:38.160
simply means multiplying the impact and

0:07:38.160,0:07:40.880
likelihood values together.

0:07:40.880,0:07:42.880
We have a range of possible values which

0:07:42.880,0:07:45.280
result from multiplying the two one to

0:07:45.280,0:07:47.599
five scales together.

0:07:47.599,0:07:49.520
The appetite is stated within the

0:07:49.520,0:07:51.680
methodology as a particular value on the

0:07:51.680,0:07:53.680
five by five matrix.

0:07:53.680,0:07:56.160
If a particular risk is above this value,

0:07:56.160,0:07:58.479
then it is above appetite which means

0:07:58.479,0:08:00.000
that it can then be flagged for

0:08:00.000,0:08:01.120
treatment.

0:08:01.120,0:08:03.919
Anything below appetite can be accepted

0:08:03.919,0:08:07.120
and monitored for change.

0:08:07.120,0:08:11.599
ISO 27001 Risk Treatment Methodology

0:08:11.599,0:08:13.520
Your risk management methodology needs

0:08:13.520,0:08:15.759
to include a methodology for determining

0:08:15.759,0:08:17.840
the most appropriate treatment for the

0:08:17.840,0:08:20.240
risks that you have identified.

0:08:20.240,0:08:22.080
There are four possible treatments to

0:08:22.080,0:08:25.520
choose from. These are accept, reduce,

0:08:25.520,0:08:26.400
transfer,

0:08:26.400,0:08:27.840
and avoid.

0:08:27.840,0:08:29.759
You may come across different terms used

0:08:29.759,0:08:31.759
for these such as tolerate, treat,

0:08:31.759,0:08:34.399
transfer, and terminate. This example is

0:08:34.399,0:08:37.039
known as the 4Ts', however they take

0:08:37.039,0:08:39.760
the same approach.

0:08:39.760,0:08:43.519
ISO 27001 Risk Treatment Methodology

0:08:43.519,0:08:46.640
Accept or Tolerate

0:08:46.640,0:08:48.399
One of the four treatments provides you

0:08:48.399,0:08:50.959
with the ability to accept risk.

0:08:50.959,0:08:52.560
We have already seen that this is

0:08:52.560,0:08:54.240
possible as it is likely that you will

0:08:54.240,0:08:56.320
simply accept risks that are below

0:08:56.320,0:08:57.600
appetite.

0:08:57.600,0:08:59.600
However, you can also make an informed

0:08:59.600,0:09:01.920
decision to accept risks in certain

0:09:01.920,0:09:04.160
circumstances, such as where there is a

0:09:04.160,0:09:06.080
legal requirement preventing you from

0:09:06.080,0:09:08.320
taking the desired action or you have

0:09:08.320,0:09:11.120
insufficient resources to do so.

0:09:11.120,0:09:12.880
These cases should be few and far

0:09:12.880,0:09:14.480
between though and should always be

0:09:14.480,0:09:16.560
approved by appropriate management and

0:09:16.560,0:09:19.600
regularly reviewed.

0:09:19.600,0:09:23.360
ISO 27001 Risk Treatment Methodology

0:09:23.360,0:09:25.760
Reduce or Treat

0:09:25.760,0:09:27.839
The second treatment option is to reduce

0:09:27.839,0:09:29.360
or treat the risk.

0:09:29.360,0:09:31.120
This is done through the implementation

0:09:31.120,0:09:32.560
of controls.

0:09:32.560,0:09:35.720
ISO 27001 provides you with a list of

0:09:35.720,0:09:38.560
114 best practice controls that can be

0:09:38.560,0:09:40.480
used to mitigate the risks that you have

0:09:40.480,0:09:42.080
identified.

0:09:42.080,0:09:43.920
These can be used in combination in

0:09:43.920,0:09:46.080
order to increase their effectiveness

0:09:46.080,0:09:47.920
and of course you can also add controls

0:09:47.920,0:09:50.080
of your own that do not appear in ISO

0:09:50.080,0:09:53.040
27001.

0:09:53.040,0:09:56.560
ISO 27001 Risk Treatment Methodology

0:09:56.560,0:09:58.240
Transfer

0:09:58.240,0:10:00.080
The third risk treatment option is to

0:10:00.080,0:10:01.760
transfer the risk.

0:10:01.760,0:10:03.839
The transfer option involves the use of

0:10:03.839,0:10:06.000
third parties to help you mitigate your

0:10:06.000,0:10:07.040
risks.

0:10:07.040,0:10:08.720
You could do this, for example, by

0:10:08.720,0:10:10.800
offloading some of the financial impact

0:10:10.800,0:10:13.120
of something going wrong by taking out

0:10:13.120,0:10:15.200
an insurance policy.

0:10:15.200,0:10:16.640
Another way of doing this is to

0:10:16.640,0:10:18.320
outsource the responsibility for

0:10:18.320,0:10:20.160
implementing and operating technical

0:10:20.160,0:10:22.560
controls to a third party such as an IT

0:10:22.560,0:10:24.560
managed service provider.

0:10:24.560,0:10:26.320
It is important to note here that

0:10:26.320,0:10:28.399
although responsibility for financial

0:10:28.399,0:10:30.560
impact or the management of operational

0:10:30.560,0:10:33.279
controls can be transferred to a third

0:10:33.279,0:10:36.399
party, the accountability associated with

0:10:36.399,0:10:38.160
the risk cannot.

0:10:38.160,0:10:39.920
In other words you will still be held

0:10:39.920,0:10:42.160
accountable by your stakeholders if

0:10:42.160,0:10:44.880
something goes wrong.

0:10:44.880,0:10:48.800
ISO 27001 Risk Treatment Methodology

0:10:48.800,0:10:51.519
Avoid or Terminate

0:10:51.519,0:10:53.440
The fourth risk treatment option is to

0:10:53.440,0:10:55.440
simply avoid the risk.

0:10:55.440,0:10:57.200
As we have discussed before, there are

0:10:57.200,0:11:00.160
three component parts to risk. The impact

0:11:00.160,0:11:02.160
felt by the organization following a

0:11:02.160,0:11:04.320
breach of confidentiality, integrity, or

0:11:04.320,0:11:07.279
availability for an information asset.

0:11:07.279,0:11:09.760
A threat that could cause this impact

0:11:09.760,0:11:11.680
and a vulnerability that would allow it

0:11:11.680,0:11:13.200
to do so.

0:11:13.200,0:11:15.920
It is possible to avoid risk completely

0:11:15.920,0:11:18.160
by eliminating one or more of these

0:11:18.160,0:11:19.519
three elements.

0:11:19.519,0:11:21.519
However, it is unlikely that we would be

0:11:21.519,0:11:24.240
able to completely remove all threats or

0:11:24.240,0:11:26.959
all vulnerabilities which leaves us only

0:11:26.959,0:11:29.440
with one viable option, which is to

0:11:29.440,0:11:31.519
remove the impact.

0:11:31.519,0:11:33.920
This is done by removing the asset or

0:11:33.920,0:11:35.680
stopping the processes that are

0:11:35.680,0:11:38.560
associated with the identified risk.

0:11:38.560,0:11:40.399
For example, to avoid the risks

0:11:40.399,0:11:42.480
associated with the taking of credit

0:11:42.480,0:11:43.839
card payments,

0:11:43.839,0:11:46.240
remove that process and only deal in

0:11:46.240,0:11:47.279
cash.

0:11:47.279,0:11:49.440
There are obvious issues associated with

0:11:49.440,0:11:52.000
taking this approach, as it is unlikely

0:11:52.000,0:11:54.079
to be looked upon to favorably by your

0:11:54.079,0:11:56.639
stakeholders, especially if the process

0:11:56.639,0:11:58.560
is revenue generating.

0:11:58.560,0:12:00.560
This is the reason why this particular

0:12:00.560,0:12:03.120
risk treatment methodology is rarely

0:12:03.120,0:12:05.120
used.

0:12:05.120,0:12:08.839
ISO 27001 Risk Treatment Methodology

0:12:08.839,0:12:09.939
Controls

0:12:09.939,0:12:12.079
The most common option chosen

0:12:12.079,0:12:14.880
to treat risks, other than maybe 'accept'

0:12:14.880,0:12:17.920
in more mature ISMS's, is to reduce the

0:12:17.920,0:12:19.279
risk.

0:12:19.279,0:12:21.600
This is done by implementing controls or

0:12:21.600,0:12:23.839
improving existing ones to address the

0:12:23.839,0:12:25.360
risk.

0:12:25.360,0:12:27.360
There are three main operational types

0:12:27.360,0:12:29.279
of control: Administrative or

0:12:29.279,0:12:31.040
people-based controls,

0:12:31.040,0:12:33.360
technical or logical controls, and

0:12:33.360,0:12:36.079
physical or environmental controls.

0:12:36.079,0:12:37.920
Within these three operational types

0:12:37.920,0:12:39.920
there are several different tactical

0:12:39.920,0:12:42.639
uses of controls, such as those that are

0:12:42.639,0:12:44.320
designed to prevent a threat from

0:12:44.320,0:12:45.920
materializing,

0:12:45.920,0:12:48.160
those that are designed to deter people

0:12:48.160,0:12:50.800
from carrying out an undesired action,

0:12:50.800,0:12:52.639
those that detect if a threat has

0:12:52.639,0:12:55.279
materialized, or those that enable you to

0:12:55.279,0:12:57.200
recover from a situation after the

0:12:57.200,0:12:58.959
threat has been dealt with,

0:12:58.959,0:13:00.959
and there are several others.

0:13:00.959,0:13:03.279
Operational types and tactical uses of

0:13:03.279,0:13:06.160
controls are not mutually exclusive and

0:13:06.160,0:13:08.560
can and should be used where possible in

0:13:08.560,0:13:11.200
combination to provide a greater depth

0:13:11.200,0:13:13.120
of security.

0:13:13.120,0:13:16.800
ISO 27001 Risk Management Monitor And

0:13:16.800,0:13:18.160
Review

0:13:18.160,0:13:19.920
It is important to ensure that any

0:13:19.920,0:13:21.839
actions you take to address the risks

0:13:21.839,0:13:23.760
you have identified are monitored and

0:13:23.760,0:13:25.519
reviewed to ensure that they have the

0:13:25.519,0:13:27.200
desired effect.

0:13:27.200,0:13:29.519
Part of the monitor and review process

0:13:29.519,0:13:31.839
should also include a review of context

0:13:31.839,0:13:33.279
before the risk assessment is

0:13:33.279,0:13:34.720
reperformed.

0:13:34.720,0:13:37.802
This will allow you to identify and take

0:13:37.802,0:13:38.959
into consideration any changes that may

0:13:38.959,0:13:41.279
have happened, either internally within

0:13:41.279,0:13:43.680
your organization or externally such as

0:13:43.680,0:13:46.240
changes in legislation or changes to the

0:13:46.240,0:13:48.880
threat environment. Thus, you are able to

0:13:48.880,0:13:51.040
identify if risks that have previously

0:13:51.040,0:13:53.440
been identified are getting worse or

0:13:53.440,0:13:55.760
hopefully better. And you will also be

0:13:55.760,0:13:58.560
able to identify any new risks.

0:13:58.560,0:14:02.399
ISO 27001 Risk Assessment Frequency

0:14:02.399,0:14:04.160
Risk management and therefore risk

0:14:04.160,0:14:06.959
assessment is an iterative process

0:14:06.959,0:14:08.720
and each iteration should take into

0:14:08.720,0:14:10.800
consideration lessons learned from the

0:14:10.800,0:14:13.279
previous iteration and should take into

0:14:13.279,0:14:15.680
consideration any internal or external

0:14:15.680,0:14:18.079
changes thus enabling continual

0:14:18.079,0:14:19.360
improvement.

0:14:19.360,0:14:21.279
There is no hard and fast rule on the

0:14:21.279,0:14:23.680
frequency of risk assessment but URM

0:14:23.680,0:14:25.839
recommends that the frequency is no less

0:14:25.839,0:14:27.440
than annual.

0:14:27.440,0:14:29.279
This does not necessarily mean that you

0:14:29.279,0:14:31.120
should set aside a certain amount of

0:14:31.120,0:14:33.120
time at a certain point in the year to

0:14:33.120,0:14:35.440
conduct a risk assessment, although of

0:14:35.440,0:14:37.920
course you can do this if you wish.

0:14:37.920,0:14:40.079
It just means that each time 12 months

0:14:40.079,0:14:42.160
has elapsed, you should aim to have

0:14:42.160,0:14:44.480
completed the next iteration.

0:14:44.480,0:14:46.639
So you could spread the workload over

0:14:46.639,0:14:48.720
the 12-month period by performing

0:14:48.720,0:14:50.959
smaller risk assessments on a subset of

0:14:50.959,0:14:53.920
areas at more frequent intervals if this

0:14:53.920,0:14:56.160
is more manageable.

0:14:56.160,0:14:59.199
ISO 27001 Risk Management

0:14:59.199,0:15:00.959
Governance

0:15:00.959,0:15:03.199
Throughout the risk management process,

0:15:03.199,0:15:05.120
you need to ensure that you communicate

0:15:05.120,0:15:07.839
effectively with any interested parties.

0:15:07.839,0:15:10.480
It may be useful to put together a RACI.

0:15:10.480,0:15:13.440
(RACI) to help you with this. As all the

0:15:13.440,0:15:15.360
way through the process different people

0:15:15.360,0:15:17.839
will need to be held responsible, some

0:15:17.839,0:15:20.000
will need to be held accountable, some

0:15:20.000,0:15:21.839
will need to be consulted in order to

0:15:21.839,0:15:23.440
identify all of the pertinent

0:15:23.440,0:15:25.519
information we need to perform an

0:15:25.519,0:15:27.760
effective risk assessment, and some

0:15:27.760,0:15:30.000
people, for example, the management team

0:15:30.000,0:15:31.759
will need to be informed through

0:15:31.759,0:15:35.680
effective reporting of your risk status.

0:15:35.680,0:15:38.959
ISO 27001 Risk Management Policy and

0:15:38.959,0:15:40.560
Process

0:15:40.560,0:15:42.959
As with all key processes associated

0:15:42.959,0:15:45.759
with an effective ISMS, it is a good idea

0:15:45.759,0:15:48.399
to implement a risk management policy.

0:15:48.399,0:15:50.079
This enables you to set the risk

0:15:50.079,0:15:52.720
management and risk assessment criteria,

0:15:52.720,0:15:55.199
appetite, and roles and responsibilities

0:15:55.199,0:15:57.279
out within a document that everyone is

0:15:57.279,0:15:59.040
required to implement throughout the

0:15:59.040,0:16:00.639
business.

0:16:00.639,0:16:02.480
This should of course be underpinned by

0:16:02.480,0:16:05.040
the risk management methodology and any

0:16:05.040,0:16:07.680
required documented processes to enable

0:16:07.680,0:16:09.279
risk management to be embedded

0:16:09.279,0:16:12.079
throughout the organization.

0:16:12.079,0:16:15.040
So how can URM help?

0:16:15.040,0:16:17.199
URM can offer a range of information

0:16:17.199,0:16:19.680
risk management consultancy and training

0:16:19.680,0:16:22.639
services. Most notably, our accredited

0:16:22.639,0:16:24.720
five-day practitioner certificate in

0:16:24.720,0:16:26.560
information risk management training

0:16:26.560,0:16:27.519
course.

0:16:27.519,0:16:30.240
In addition, URM has also developed an

0:16:30.240,0:16:32.399
information risk management module,

0:16:32.399,0:16:36.000
Abriska 27001, specially to meet the

0:16:36.000,0:16:38.320
risk assessment requirements of ISO

0:16:38.320,0:16:40.160
27001

0:16:40.160,0:16:42.720
For more information email us or give us

0:16:42.720,0:16:45.800
a call.