Posted on by Mahesh Balan

Managing Risk with ISO 31000

The first International Risk Management Standard ISO 31000:2009, together with ISO Guide 73:2009, was released by the International Organisation for Standardisation (ISO) on 15 November 2009.

 

And since IT Security is an integral part of Risk Management, it is useful for anybody interested in IT Security to know the basics of this new Risk Management ISO Standard.

 

ISO:31000 is a generic risk management standard and each organization will need to customize its risk process to its own needs.  To support the new standard, ISO has also published “ISO Guide 73:2009 Risk Management – Terminology” which complements ISO 31000 by providing a collection of terms and definitions relating to the management of risk. Further, “ISO/IEC 31010:2009 Risk Management – Risk Assessment Techniques” provides guidance on selection and application of systematic techniques for risk assessment.

 

Key Concepts

 

  • ISO 31000:2009 provides principles and generic guidelines on risk management.
  • ISO 31000:2009 can be used by any public, private or community enterprise, association, group or individual. Therefore, ISO 31000:2009 is not specific to any industry or sector.
  • ISO 31000:2009 can be applied throughout the life of an organisation, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.
  • ISO 31000:2009 can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.
  • Although ISO 31000:2009 provides generic guidelines, it is not intended to promote uniformity of risk management across organisations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organisation, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.
  • ISO 31000:2009 is not intended for the purpose of certification.

 

Key Definitions

 

  • Risk – Effect of uncertainty on objectives
  • Risk Management – Coordinated activities to direct and control an organisation with regard to risk
  • Risk Management Framework – Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation
  • Risk Management Policy – Statement of the overall intentions and direction of an organisation related to risk management
  • Risk Management Plan – Scheme within the risk management framework specifying the approach, the management components and resources to be applied to the management of risk
  • Risk Management Process – Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.

 

Framework for managing risk

 

ISO 31000 Framework for Managing Risk
ISO 31000 Framework for Managing Risk

 

Process for managing risk

 

ISO 31000 Process for Managing Risk
ISO 31000 Process for Managing Risk

 

Comments are closed.