Risk and Opportunity Management:
ISO 9001 and ISO 27001
Risk based thinking is one of the significant additions in all of the management systems standards from their earlier versions. Even though in principle all management standards included “Risk Management” as a requirement, it varied based on the overall impact to the organization and its interested parties. For example, a formal risk management report or log isn’t a mandatory requirement for QMS (ISO 9001), however, a formal process of risk management and risk log is a requirement in other standards such as ISO 27001, AS9100D and ISO 45001.
With ISO 9001, organizations can get away from formal risk assessments citing that the organization has established a quality management system. It’s processes and controls are based on the context of the organization and its associated risks. This is acceptable if the organization’s controls are implemented and adequately address all foreseeable risks. In this case it is the responsibility of the auditor to assess the risks that exist in the organization and to verify that appropriate controls have been implemented to prevent or mitigate these risks. If an organization fails to apply a control for an observed risk which impacts the organizations intended QM as outcomes, the auditor could identify a discrepancy.
With ISO 27001, Information Security Management System, organizations are required to define the following:
- Define and apply the process approach for the information security risk assessment
- Ensure the approach selected for risk assessment is consistent (producing repeatable results, irrespective of the various team members similar competence)
- Define the criteria to perform the risk assessment (when or what will be covered)
- Define the criteria for acceptable risks
- Identification of risks and risk owners
- Analyze the risks with respect to its impacts, likelihood, and level of risks
- Evaluate risks against the risk acceptance criteria for prioritization and identification of risk treatment actions
- Maintain and retain documented information about the risk assessment process (risk log)
Risk Definitions
Risk: Effect of uncertainty on objectives
Risk Assessment: Overall process of risk identification, risk analysis and risk evaluation
Risk Identification: Process of finding, recognizing, and describing risks
Risk Analysis: Process to comprehend the nature of risk and to determine the level of risk
Risk Evaluation: Process of comparing the results of risk analysis with risk criteria to determine whether the risk and or its magnitude is acceptable or tolerable
Risk Criteria: Terms of reference against which significance of risk is evaluated
Risk Acceptance: Informed decision to take a particular risk
Residual Risk: Risk remaining after risk treatment
Risk Treatment: Process to modify risk