The risks, opportunities and improvement in ISO 27001: 2014
Management of the different risks and opportunities and the use of effective tools for continuous improvement are essential to ensure that ISO 27001 is working properly.
In previous articles I have discussed the role of ISO 27001: 2014 in aspects such as context, scope and policy, responsibilities, communication and resource management, but there are two essential concepts:
Risks and opportunities;
Continuous improvement, and the tools to achieve it.
For this I will take as reference the publication “ISO 27001: 2014. Protecting your most valuable asset: information. ”
Management of the different risks and opportunities in ISO 27001
In terms of information security, determining the risks, the acceptance criteria, and the treatment and priority measures that will allow them to be eliminated or reduced to acceptable levels that we have previously determined is essential.
However, we must not forget that there are not only risks but also opportunities that the company can take advantage of if it takes them into account correctly.
This is one of the key points of ISO 27001: 2014, the strong point we could say, and to assist you in your work, you have the controls indicated in ISO 27002: 2015. If you want to increase information about this standard
In summary, it can be said that, in order to adequately address risks and opportunities, a process must be defined that will be marked by the following stages and that will ensure, if done correctly, its effectiveness and contribution to the correct management of The ISO 27001 standard implemented in the company:
Improvement and two essential tools: internal audit and management review.
Initially, we must make it clear that continuous improvement, beyond a pillar on which ISO 27001: 2014 is based, is a transversal axis that is present in each of the chapters, requirements and points of this.
For this, the Information Security Management System has to remain in constant evolution, adapting to the changes in its environment, to the needs in the business, to new technologies, to threats that occur or appear, etc. . To keep risks under control at all times, to take advantage of the opportunities that are produced and to be managed in an increasingly efficient way.
It seems a daunting task, but the information security management system itself, as with other standards, provides us with two tools to facilitate the company’s tasks in relation to continuous improvement: internal auditing and review By management.
After all, we must not forget that these are two of the most powerful tools for improvement if done correctly. For this it is necessary:
To establish a periodicity of at least once a year,
Be planned
And in the case of the review by the management include specific entries to be considered.
On the one hand, if carried out properly, by competent personnel and not as a merot procedure the internal audits will provide us with:
The evidences collected and the proven aspects.
The deficiencies detected to correct.
The deviations to be taken into account so that in the future they do not become deficiencies.
And valuable opportunities for improvement.
For its part, the Management Review Report will result in decisions on the needs for changes in the information security management system and identification of the necessary resources to carry them out, among other things.
Brief note on Documented Information: knocking down a myth.
Finally, I do not want to finish these notes without overthrowing a myth. And is that traditionally has been thinking that a management system comes attached to a large number of documentation that will be generated in each of the steps and therefore, will load the company work. However, this is not so.
The information security management system gives us great flexibility in not demanding a specific format in which this documented information is collected. At the same time, it allows, apart from some minimum necessary documents, that the company determines those processes and evidences of compliance that it is necessary to keep as documented information in order to have evidence that it has been carried out as planned and that Have been effective.
All this to ensure that the information security management system according to ISO 27001 becomes a strategic ally of the company, which will form part of the basis of its growth and will help to improve it in the field of information management. Active information