How to address opportunities in ISO 27001 risk management using ISO 31000

Businesses are full of risks, and organizations should do their best to identify, evaluate, and treat all of them – or at least the most relevant ones. This is called risk management, which can vary from subconscious decisions to fully aware choices based on complex methodologies and data arrangements.

But, oddly, when organizations think about risks, they generally focus on what could go wrong, and take measures to prevent that, or at least to minimize its effects. But, risks can also mean that something good can happen, and by not being ready to take advantage of the situation, you can miss the benefits.

This article will present how to consider and handle positive risks, also known as opportunities, in the context of ISO 27001, the leading ISO management standard for information security. By including opportunities in an ISMS approach, organizations may increase the benefits of information security.

How ISO 27001 defines and treats risks

For ISO 27001, risk is the “effect of uncertainty on objectives,” and the “uncertainty” is the reason we cannot completely control all risks (after all, you cannot defend against what you do not know or understand).

Sponsorships Available

Sponsorships Available

Sponsorships Available

Regarding how ISO 27001 treats risks, the standard itself does not prescribe the options, only that they must be properly selected considering the results of the risk assessment (clause 6.1.3). For detailed information about risk assessment and treatment, please read ISO 27001 risk assessment & treatment – 6 basic steps.

The supporting standard ISO 27005, which defines a process for information security risk management, suggests four options: risk modification, risk retention, risk avoidance, and risk sharing. Detailed information about these risk treatment options can be found in this article: 4 mitigation options in risk treatment according to ISO 27001, but in short, all the (Read more...)